Gadens Regulatory Recap – 29 July 2024

This edition of the Gadens Regulatory Recap highlights recent developments from ASIC, APRA, OAIC, ACCC, and Treasury including various enforcement actions taken by the regulators. 

ASIC 

1. ASIC and OAIC share Memorandum of Understanding on information sharing to accelerate data and privacy breach responses: ASIC and the OAIC have agreed to and entered a Memorandum of Understanding (MoU) with regards to the sharing of data and privacy breach information. The MoU will allow the agencies to share information, both proactively and by written request, to assist both agencies to exercise powers or perform functions. The MoU includes the process and regulations required for the agencies to perform these new functions. The MoU was entered into against a backdrop in which data and privacy breaches are becoming increasingly common occurrences in the digital landscape. ASIC has identified that it requires the appropriate mechanisms to enable it to act quickly and effectively when required, and that this will be accommodated by enabling the agencies to proactively share necessary information so that both can exercise their respective powers and functions. The OAIC has in turn indicated that public interest is best served by allowing for a regulatory joint approach to privacy breaches that allows necessary information to be shared between the two agencies and therefore facilitates a coordinated joint response. The MoU comes into effect from the date of signing and will continue for as long as the agencies consider it to accurately reflect and support their respective powers functions and purpose.
2. ASIC releases better banking for Indigenous consumers report: On 15 July 2024, ASIC released Report 785 Better banking for Indigenous Consumers, (Report 785) which found that the more than two million low-income consumers were kept on high-fee accounts by Australian banks. As a result of ASIC’s review, Australian banks have migrated more than 200,000 customers to low-fee accounts, likely to result in future yearly savings of approximately $10.7 million. Following Report 785, the banks in questions are required to return over $28 million in fees to customers over the next 12 to 18 months. ASIC Commissioner Alan Kirkland stated that ASIC’s report highlighted “the impact the banking system can have on Australians” and that “banks need to ensure they have systems and processes in place so customers on low incomes can easily transition to low-fee accounts.”
3. ASIC and APRA release final rules and other information relating to the Financial Accountability Regime: ASIC and APRA have released final rules and information to assist insurers and superannuation trustees prepare for the commencement of the Financial Accountability Regime (FAR). FAR has already commenced for the banking sector and will commence on 15 March 2025 for the insurance and superannuation sectors.The joint resources include the following information: 

• a joint letter summarising the key issues raised during consultation including responses and the concept and application of key functions; 
• Financial Accountability Regime Regulator Rules Amendment Instrument No. 1 of 2024 and the Financial Accountability Regime Act (Information for register) Regulator Rules 2024 for key functions information inclusion in the FAR accountable persons register for insurance and superannuation;  
• an updated information paper to assist in understanding and complying with obligations under FAR; 
• an updated accountability statement guide and template to assist with the enhanced notification obligations; and 
• Instructions to assist with disclosure forms.  

 This full suite of instructive materials can be found here. 

4. ASIC releases estimated funding levies for industry for 2023-2024: On 8 July 2024, ASIC released is its 2023-2024 Cost Recovery Implementation Statement (CRIS). The CRIS provides estimates of costs and levies that ASIC imposes on each industry subsector which it provides to assist entities with budgeting and financial preparation. 

As ASIC’s funding model requires that the costs of its regulatory services are paid for by the entities that rely and benefit from them, rather than taxpayers. ASIC provides yearly invoices to entities subject to ASIC regulation for regulatory services provided. These invoices are intended to reflect ASIC’s costs for regulating the subsectors in which it operates. 

You can access a summary of ASIC’s estimated fees and levies for the upcoming financial year here and access information about how ASIC is funded here.  

5. ASIC proposes expiry of managed investment scheme legislative instrument: ASIC has proposed the sunsetting of the ASIC Corporations (Land Holding for Primary Production Schemes) Instrument 2024/15 (Instrument 2024/15) to take place in October.  

Instrument 2014/15 modifies the Corporations Act and applies where an offer of interest in a registered production scheme is made with an offer of rights attaching to land associated with the scheme by providing certain requirements that must be met by the responsible entity. These requirements include: 

• that the responsible entity take steps to ensure that regulatory approvals required to proceed with the primary production activities of the scheme be acquired and maintained; 
• that any interest of members in the land on which the primary production occurs be protected by registration in the form appropriate to the jurisdiction; and 
• ensuring that of the registered interest is a lease (or some other interest that requires regular payments) then the responsible entity has the power to require members to meet their payment obligations.  

ASIC has proposed sunsetting Instrument 2014/15 on the basis that the relief for primary production schemes affected by the instruments are no longer required to be managed by the fund sector.  ASIC is seeking stakeholder feedback from AFS licensees, superannuation trustees and other interested parties before 9 August 2024. Information on submissions can be found here.  

6. ASIC Enforcement Activities: ASIC has been active in the enforcement space in the last fortnight. 

• A financial adviser from Western Australia has been permanently banned from providing financial services for engaging in dishonest conduct. Most notably, he provided his employer with a falsified Financial Adviser Exam certificate and misled 24 clients in relation to his competency to provide financial advice.  

• Accumulus Capital Pty Ltd’s ACL has been cancelled for failing to pay ASIC industry funding levies and related late payment penalties.  

• Firstmac Limited breached its design and distribution obligations when it sent product disclosure statements for the Firstmac High Livez product to those existing term deposit holders, without first taking reasonable steps to ensure consistency with its TMD for the product. This is the first finding by a court of a contravention of these provisions. ASIC will now seek orders from the Federal Court imposing pecuniary penalties against Firstmac Limited. 

• The Australian promoter of BitConnect has been convicted by the Sydney District Court for providing unlicenced financial advice contrary to s911B(1) of the Corporations Act. He was released on a recognisance to be of good behaviour for three years. This case is a reminder that many crypto assets are financial products under the current law and that services relating to them (including seminars and promotions) require an Australian financial services licence. 

• A financial adviser from Queensland has been permanently banned from providing financial services for asking an authorised representative of the licensee, who was not employed at the time, to sign documents misleading clients into believing that personal advice had been provided when this was not the case. 

• A former mortgage broker from New South Wales has been permanently banned from providing financial services after she was convicted of 21 counts of various fraud offences. Two directors have been banned for three and five years respectively for failing to have adequate arrangements to manage conflicts of interest, and to ensure its representatives complied with the law.  

• American Express Australia Limited has been ordered to pay $8 million for failing to meet its design and distribution obligations. Justice Jackman stated that “a penalty of this order ensures it has a “sting” sufficient to deter both repetition by American Express and contravention by other providers of financial products.” 

• On 22 July 2024, ASIC published its quarterly enforcement and regulatory update from 1 April and 30 June 2024. The update demonstrates ASIC’s focus on enforcement action against company directors whose actions unfairly impact small businesses, highlighting the disqualification of seven directors during this quarter. 

APRA  

7. APRA releases responses on enhancement to quarterly insurance publications: APRA has now released its response following industry consultation it sought to improve APRA’s suite of quarterly insurance statistical publications. 

The proposed changes were: 

• a revision of the content in response to change to the reporting requirements following the advent of the Australian Accounting Standards Board 17 Insurance Contracts and changes to capital framework for private health insurers; and 
• improvements to the presentation of the data.  

Following stakeholder feedback, APRA also reported a high level of submissions seeking clarity on the treatment of confidential data.  

The response to APRA’s consultation can be found here.   

8. APRA imposes licence conditions on Fiducian: APRA has imposed additional licence conditions on Fiducian Portfolio Services Limited (FPSL) to address concerns related to data accuracy ahead of this year’s annual superannuation performance test.   

The new licence conditions, effective from 15 July 2024, require FPSL to: 

• take reasonable steps to ensure an expert completes a review of the accuracy and completeness of data submitted ahead of the 2024 performance test; 
• develop and implement a remediation plan, approved by APRA, to address any recommendations or concerns identified by the expert; and 
• provide APRA with an attestation regarding the accuracy of data and governance processes for data submissions. 

APRA Deputy Chair Margaret Cole emphasised the importance of data quality and accuracy, stating that it is crucial for driving industry transparency and ensuring trustees act in the best financial interests of their members.  

9. APRA issues $10.7 million infringement notices and accepts court enforceable undertaking from One Path Custodians 

APRA has accepted a court enforceable undertaking (CEU) from superannuation trustee One Path Custodians Pty Ltd (One Path) under which One Path have undertaken to rectify compliance deficiencies and compensate its members.  The CEU follows infringement notices issued by APRA for the alleged failure to invest its member’s default superannuation contributions in MySuper products as is required under the Superannuation Industry (Supervision) Act 1993 (SIS Act). 

Under the CEU, One Path has undertaken to: 

• identify members effected by the breaches and remediate them; 
• allocate additional resources to replace 100% of target balance of 0.25% of its funds under management that were depleted by the operational risk financing required to remediate members; and 
• Retain $40m of its exiting operation risk financing assets as an overlay until the requirements of the CEU are satisfied. 

This action shows that APRA is willing to take strong enforcement action against companies where it perceives that there is culture of non-compliance with governance requirements or meet their obligations under the SIS Act. 

10. APRA finalises revised Interest Rate Risk for Banking Book requirements: On 8 July 2024, APRA announced that it had finalised the revisions to the framework for Interest Rate Risk in the Banking Book requirements for authorised deposit-taking Institutions (ADIs). APRA’s response follows previous consultation relating to Prudential Standard APS 117 Capital Adequacy Interest Rate Risk in the Banking Book (APS 117), and submissions received by industry. 

APRA indicated that the changes have been designed to: 

• support policy changes made APS 117, including incorporation of international financial events of the past twelve months; 
• assist with the migration of data collection; and 
• ensure that a proportionate approach is achieved across ADIs, with non-significant financial institutions having less reporting requirements than significant financial institutions, based on each ADI’s nature, scale, and complexity. 

The finalised version of APS 117 is effective from 1 October 2025. 

ACCC 

11. The ACCC commences consultation on sustainability collaborations: The ACCC has released a draft guide to assist businesses in navigating competition law in the context of sustainability collaborations. The guide addresses the risk businesses face under competition law when working together to achieve positive environmental outcomes. It emphasises that while collaborative efforts can potentially breach competition law, businesses can seek ACCC authorisation to proceed without legal risk. ACCC Acting Chair Mick Keogh highlighted the importance of these collaborations for environmental benefits during Australia’s shift to a sustainable economy. He noted that ACCC authorisation provides a legal exemption from competition provisions, enabling businesses to implement collaborations without fear of legal action due to the mandate to consider sustainability benefits when evaluating applications for authorisation, aiming to balance competition promotion with public interest in sustainability. 

The guide outlines that ACCC authorisation may be granted when the public benefits of the collaboration outweigh any potential harm to competition. These benefits can include environmental improvements such as reduced greenhouse gas emissions, biodiversity protection, water systems benefits, or waste reduction. The draft guide aims to clarify that competition law should not hinder collaborations that offer significant public benefits. The ACCC aims to finalise the guide by late 2024 after seeking feedback from stakeholders. 

OAIC 

12. The OAIC makes statement on MediSecure Cyber breach: On 18 July 2024, the OAIC made a statement in relation to the cyber security incident experienced by MediSecure. Specifically, the OAIC noted that approximately 12.9 million individuals may have been impacted, which constitutes the largest number of individuals impacted under the Notifiable Data Breaches regime. 

Privacy Commissioner, Carly Kind, stated that “the size and scope of the personal information involved in the MediSecure breach today is a further reminder of the need for organisations to make protecting individuals’ personal information a top priority.” MediSecure has separately released a statement that sets out the type of information impacted by the incident. 

13. OAIC comments on GPEN Sweep findings: On 10 July 2024, the OAIC released a statement relating to the Global Privacy Enforcement Network (GPEN) Sweep, which took place between 29 January and 2 February 2024, and involved participants from 26 privacy enforcement agencies internationally. Key findings of the sweep included: 

• Complex and confusing language: more than 89% of privacy policies were overly long, or used complex language that required higher education to properly understand; 
• Interface interference: 42% of websites and apps used emotionally charged language to influence user decisions relating to user privacy choices, and 57% made the least privacy protective option the most obvious for users to select; 
• Nagging: 35% of websites and apps asked users to reconsider requests to delete accounts; 
• Obstruction: in 40% of cases, obstacles were faced in making privacy choices or accessing privacy information; and 
• Forced action: 9% of websites and apps forced users to disclose additional personal information when deleting an account than was required to open an account. 

While the GPEN Sweep was not intended to be an investigation, or lead to formal findings relating to violations of privacy legislation in respective jurisdictions, GPEN, and the OAIC, recommends that organisations consider the ways in which design patterns allow users to make privacy-protective decisions when navigating their platforms. 

Treasury  

14. The Pacific Banking Forum provides outcomes statement: On 8 and 9 July, the Pacific Banking Forum was co-hosted by Australia and the United States in Brisbane. The purpose of the forum was to outline both governments commitment to working with Pacific Island countries and other partners in the region to remedy the decline in correspondent banking relationships (CRBs) in the Pacific, which has seen the most withdrawals of CRBs in the world representing a forecast decline in economic growth, stability and resilience.  

The Forum emphasised the importance of continuing to develop financial sector regulation and supervision across Pacific Island Countries and continuing to implement joint coordination to promote financial growth and inclusion in the region.  The full Outcomes Statement can be found here. 

If you found this insight article useful and you would like to subscribe to Gadens’ updates, click here.

Authored by:

Caroline Ord, Partner
Sinead Lynch, Partner
Kate Mills, Partner
Michael Kenny, Partner
Daniel Maroske, Partner
Kelly Griffiths, Partner
Matthew Bode, Partner
Anna Fanelli, Senior Associate
Patrick Simon, Associate
Tehlyn Murray, Associate
Bronte Anderson, Lawyer
Declan Melia, Lawyer
Monica Baur, Lawyer
Zoe Firmin, Lawyer