Gadens Regulatory Recap – 4 September 2024

This edition of the Gadens Regulatory Recap highlights recent developments from ASIC, APRA, ACCC, OAIC, Treasury, and the Federal Parliament including various enforcement actions taken by the regulators. 

ASIC  

1. ASIC continues extensive action against greenwashing 

ASIC has made 47 regulatory interventions in relation to greenwashing misconduct, including commencing two Federal Court proceedings and issuing over $123,000 in infringement notices.  

ASIC’s intervention between 1 April 2023 and 30 June 2024 included: 

• obtaining 37 corrective disclosure outcomes by various entities; 
• issuing eight infringement notices adding up to over $123,000; and  
• commencing civil penalty proceedings against LGSS Pty Limited (Active Super) and Vanguard Investments Australia.  

The interventions related to: 

• insufficient disclosure on the scope of ESG investment screens and investment methodologies;  
• underlying investments that are inconsistent with disclosed ESG investment screens and investment policies; and  
• sustainability-related claims made without reasonable grounds or without sufficient detail.  

2. ASIC refreshes Corporates Plan and expands strategic priorities for the coming 12 months  

ASIC’s Corporate Plan for 2024-28 expands the regulator’s existing commitment to strengthening integrity across Australia’s markets by setting out five strategic priorities:  

• Improve consumer outcomes: This work will focus on the design and distribution of financial products, predatory behaviour and hardship, claim and dispute handling.  
• Address financial system climate change risk: This work will focus on greenwashing, climate-related disclosures, integrity in carbon credit markets and insurance claims following extreme weather events. 
• Better retirement outcomes and member services: This work will focus on improved services for fund members, and enhancement of compliance by trustees and providers of managed investments and financial advice.  
• Advance digital and data resilience and safety: This work will focus on scam prevention and the poor use of artificial intelligence, along with building of business’ cyber and operational resilience. 
• Drive consistency and transparency across markets and products: This work will focus on existing and emerging products and services, including new market participations across both public and private markets. 

ASIC Chair Joe Longo described the move as “[putting] all market participants on notice,” with ASIC hoping the plan helps deliver enhanced trust and transparency that will attract investment and support Australian jobs and opportunities. 

3. Online investment trading scams top ASIC’s website takedown action

ASIC has coordinated the removal of 7,300 fraudulent websites in the past year as part of its ongoing fight against online investment scams. These sites, including fake investment platforms, phishing links, and cryptocurrency scams, have collectively cost Australians $1.3 billion in 2023. 

Scammers often use social media to promote these schemes, falsely claiming endorsements from public figures to lure victims. In response, ASIC collaborates with a third-party cybercrime detection company to swiftly identify and take down malicious websites, disrupting scam operations and protecting consumers. 

ASIC also partners with the National Anti-Scam Centre, sharing data and intelligence to bolster Australia’s defences against financial fraud. Consumers are urged to verify investment opportunities, stay informed through ASIC’s Moneysmart website, and report any suspicious activity to Scamwatch. 

4. Professional judgement at the insolvency frontline 

On 22 August 2024, the ASIC Commissioner Kate O’Rourke made an address at the Association of Independent Insolvency Practitioners (AIIP) Conference. Her address focused on the key proposed changes to ASIC Regulatory Guides RG 16 – External administrators – Reporting and lodging and RG 258 – Registered liquidators due to be published in September 2024.  

The changes to RG 16 will clarify the reporting obligations of registered liquidators as to apparent professional misconduct, such that a report will only be required if a liquidator forms a genuinely held view as to whether it appears misconduct has possibly occurred. A liquidator must otherwise exercise their professional judgement as to the level of investigation of misconduct and offending undertaken to get there. Changes to RG 258 will include enhanced guidance for liquidators as to the registration application process, including when there may be a shortfall in relevant applicant employment hours. 

5. ASIC evaluates banks’ anti-scam practices  

ASIC has evaluated the anti-scam practices of 15 banks outside Australia’s four major banks, revealing significant issues in their scam prevention strategies. Its report highlights significant variations in scam prevention and detection practices, with many banks showing less mature approaches to scam governance. Inconsistent liability determination and inadequate support for scam victims were also noted, including poor customer service and mishandling of reports. Despite improvements in scam awareness, ASIC Deputy Chair Sarah Court identified a pressing need for a “continued focus across industry and regulators to effectively tackle this important issue.” The report found that only a third of the evaluated banks had comprehensive anti-scam strategies, and that customers carried 96% of scam losses over the past year. Banks detected and prevented 19% of scam transactions, though performance varied widely.  

6. ASIC releases workshop summary document on servicing First Nations communities

ASIC has released a summary of its June 2024 workshop focused on improving financial services for First Nations communities. The workshop addressed how financial services can better serve remote First Nations consumers by exploring existing practices, highlighting successful examples, and identifying areas for improvement. The workshops continue to progress the outcomes set out in ASIC’s Indigenous Financial Services Framework. 

7. ASIC extends reference checking protocol to mortgage aggregators   

ASIC has updated its reference checking and information-sharing protocol for financial advisers and mortgage brokers to align with recent legislative changes. The new protocol, titled ASIC Corporations and Credit (Reference Checking and Information Sharing Protocol) Instrument 2024/647 (2024 Protocol) will replace the 2021 Protocol and take effect on 20 August 2024. 

Originally introduced following recommendations from the Royal Commission into misconduct in the Banking, Superannuation, and Financial Services Industry, the 2021 Protocol aimed to enhance information sharing and reference checking. The 2024 updates, following 2023 legislative changes, now extend the protocol to include mortgage broking intermediaries, such as aggregators. 

Key updates include allowing aggregators to obtain references on mortgage broker licensees and their representatives. While it is optional for licensees to request references from a prospective representative’s current or former mortgage aggregator, the 2024 Protocol introduces new questions in the template consent and reference forms regarding any warnings or reprimands from ASIC or the Financial Services and Credit Panel. 

There is a transitional period until 28 February 2025, during which licensees can use reference forms from either the 2021 or 2024 Protocol. To support compliance, ASIC has also updated Information Sheet 257 (INFO 257). 

8. ASIC Enforcement activity

ASIC has been active in the enforcement space in the last fortnight. 

• Mr Ben Jayaweera, a former financial adviser and director of Growth Plus Financial Group Pty Ltd, has been sentenced to 12 years’ imprisonment for 28 counts of fraud which caused 12 former clients a detriment of $5,958,870. Judge Moynihan KC described Mr Jayaweera’s conduct as ‘brazen, gross, and callous’ and said ‘his actions were not only criminal but evil, demonstrating no remorse’.   
• On 23 August, the Federal Court ruled that Kraken crypto exchange operator Bit Trade Pty Ltd (Bit Trade) failed to comply with design and distribution obligations by providing a “margin extension” product without determining a target market as required by law. Bit Trade argued, among other things, that its product structure, which allows for indefinite obligations without fixed repayment dates, exempts the product from the obligations. However, Justice Nicholas agreed with ASIC, finding that as the product provided for margin extensions to be made and repaid in a national currency, this created a deferred debt (even if contingent on future events) which meant the product was a credit facility. The same was not true where the extension created an obligation to pay in digital assets.  
• Ms Yat Nam (April) Yuen, who held various roles at collapsed stockbroking firm BBY Limited (BBY) including Manager (Strategy), has been sentenced to 2 years and 6 months’ imprisonment for aiding and abetting BBY to engage in dishonest conduct. As a result of her convictions, Ms Yuen will be disqualified from managing corporations for five years and will be unable to be involved in the business of a market participant in connection with securities and futures markets. 
• ASIC cancelled the AFSL of former national financial advisory business Libertas Financial Planning Pty Ltd (in liquidation) after it failed to pay compensation in relation to an AFCQA determination. This is the first time ASIC has cancelled an AFSL following a payment of compensation by the Compensation Scheme of Last Resort. 

APRA   

9. APRA finalises new cross-industry Prudential Standard CPS 001 Defined terms 

APRA has received and responded to industry submissions in relation to the draft Prudential Standard CPS 001 Defined Terms (CPS 001) released on 27 November 2023, which were broadly supportive. A final version of the standards is now available.  

CPS 001 cleans up and centralises definitions, including by consolidating the five existing definitions standards into one – being APS 001, GPS 001, LPS 001, HPS 001 and 3PS 001. This change is intended to create a more user-friendly cross-industry standard, coupled with recent developments towards an interactive version as a part of APRA’s new digital Prudential Handbook.  

APRA acknowledges there is further scope for consistency and streamlining, and will consider further improvements recommended. CPS 001 will take effect from 1 October 2024.  

10. APRA shares further insights on common cyber control weaknesses 

As part of its ongoing supervision of cyber resilience in the financial system, APRA addressed a letter to all regulated entities to provide insight and guidance on common cyber control weaknesses, being security in configuration management, privileged access management and security testing. APRA expects regulated entities to review their control environment and to make required notifications of material security gaps, as well as to conduct regular self-assessments and adopt appropriate strategies.  

11. APRA outlines new priorities in 2024-25 Corporate Plan & internal reorganisation to support strategic priorities  

As of 28 August 2024, APRA has announced its 2024-25 Corporate Plan. For the first time, this Corporate Plan includes APRA’s annual policy and supervision priorities as well as data priorities. These include key strategic objectives to:  

• Maintain financial and operational resilience: This work will include key initiatives to strengthen bank capital and liquidity standards, increase minimum standards for operation resilience through new Prudential Standard CPS 230 Operational Risk, raise industry standards on cyber risk management and develop a ‘system stress test’ to model and assess interconnections across the financial system. 
• Respond to significant and emerging risks: This work will include key initiatives to lift obligations regarding climate risk in decision-making and prepare for introduction of the Government’s proposed licensing regime for payment service providers (which may expand APRA’s role).  
• Address industry-specific challenges: This work will include key initiatives to partner with Government stakeholders to identify ways to support access to household insurance, and work with ASIC to ensure trustees meet requirements set by the Retirement Income Covenant. 

On the same day, APRA also announced an internal reorganisation to support its strategic priorities. This involved the change to their two frontline supervision divisions, being a General Insurance and Banking division and a Life Insurance, Private Health Insurance and Superannuation division, which will take effect on 2 September 2024. 

12. APRA releases 2024 superannuation performance test results 

APRA has recently released the results of its 2024 superannuation performance test, which is designed to increase industry transparency and improve member outcomes. The test assesses the long-term performance of superannuation products against tailored benchmarks, with consequences for products that fail to meet requirements. Results of the 2024 tests revealed that, for the first time, all 57 MySuper products evaluated passed the test, and 155 out of 192 platform products directed by trustees. 

ACCC 

13. ACCC Chair gives opening address to Law Council Annual Competition and Consumer Law Workship  

ACCC Chair, Gina Cass-Gottlieb, opened the Law Council’s Annual Competition and Consumer Law Workshop with a speech canvassing the ACCC’s approach to enforcement and compliance activities before moving onto the ongoing merger reforms. Ms Cass-Gottlieb noted that the ACCC has been supportive of the Government’s reform proposals to deliver a ‘stronger, simpler, targeted, faster and more transparent merger system,’ noting that consultation on new merger guidelines will take place as soon as possible. 

In addition to merger reform, Ms Cass-Gottlieb noted that the ninth report in the Digital Platforms Services Enquiry will be released in September and will examine general search services, including the current state of competition in the supply of search – a timely update following the US Department of Justice’s case against Google. It was also noted that the ‘insidious scourge of scams’ continues to inflict significant emotional and financial distress on many members of the community. In response, the ACCC’s National Anti-Scam Centre (established last year) is working to disrupt the activity of scammers and reduce theft from scams. 

OAIC 

14. OAIC discontinues action against Clearview AI

The OAIC has discontinued further action against Clearview AI – but not because it’s happy with the facial recognition company’s conduct.  

Clearview AI was the subject of a 14 October 2021 OAIC determination finding that its collection of images and biometric templates from individuals in Australia contravened the Privacy Act and Australian Privacy Principles. On review, the AAT affirmed the OAIC’s determination, finding that the US-based company was ‘carrying on a business in Australia’ as it repeatedly collected information from Australian servers, and consequently in breach of the Privacy Act.  

Clearview AI withdrew from those proceedings before the AAT could make orders to remedy its breaches of the Privacy Act. The OAIC’s decision to discontinue further action comes as a result of the cost of pursuing Clearview AI further, when weighed against the need for further enforcement – particularly given the company has, in the words of Privacy Commissioner Carly Kind, “found itself the subject of regulatory investigations in at least three jurisdictions around the world as well as a class action in the United States.” In holding off on further action, the regulator stresses that its original determination against Clearview AI “still stands,” highlighting that the OAIC will not shy away from pursuing action against organisations even with a more tenuous ‘Australian link.’ 

15. OAIC release discussion paper on policy and regulatory implications of screen scraping  

The OAIC has made its submission to the Federal Treasury’s discussion paper “Screen scraping – policy and regulatory implications” issued on 27 October 2023. The paper seeks feedback on the practice of consumers sharing their login details with third parties, who in turn use those details to collect point-in-time information as a service to the consumer. The OAIC expands on the privacy and security risks of this practice, and confirms its recommendation that screen scraping and other unsafe online practices be prohibited. Specifically, the OAIC notes that while the Privacy Act ” creates core technology neutral protections,” it views specific regulation prohibiting screen scraping as necessary given the notable privacy risks associated with this practice. 

16. OAIC releases Corporate Plan for 2024–25  

The OAIC’s Corporate Plan for 2024-25 sets the regulator’s key priorities for the financial year, with work to achieve these goals following four key activities:  

• Influence and uphold privacy and information access rights frameworks: This work will include a number of education and guidance activities, and a revised version of the Credit Related Research Rule 2014. 
• Advance online privacy protections for Australians: This work will include progressing the Australian Government’s response to the review of the Privacy Act, further legislative reforms related to the 2023-2030 Australian Cyber Security Strategy, and activities in the OAIC’s new role as regulator of the Digital ID system. 
• Encourage and support proactive release of government information: This work follows challenges identified in the
  5-yearly Information Publication Scheme review completed in 2023-24, and will include enhanced delivery of review functions, improved complaint investigation, and revised freedom of information guidelines based on practitioner consultation. 
• Take a contemporary, harms-based approach to regulation: This work will be harm focused and risk based, with the OAIC turning a particular focus to emerging technologies such as AI, digital economy developments such as the Consumer Data Right and Digital ID System.  

The OAIC has also identified it will be more likely to take enforcement action that relates to substantial or systemic harms (in particular regarding vulnerable groups), is likely to change sectoral or market practices, that will clarify elements of privacy laws, or that is in the public interest – proportionate to the risks of harm, regulatory burden, community expectations and cost. 

 Treasury 

17. Treasury looks to revitalise national competition policy

Treasury is welcoming feedback in relation to three facets of a revitalised National Competition Policy (NCP) to be considered alongside modelling by the Australian Government Productivity Commission and other research and panel advice in relation to the framework of the NCP.  

This includes:  

• How can the National Competition Principles be revitalised to address contemporary competition issues?  
• Does the proposed National Competition Reform Program reflect the key areas of existing or emerging competition issues, and what are the key reforms that should be considered?  
• What institutional and governance frameworks would best support NCP?  

Revitalisation of the NCP is part of a commitment by Australia’s treasurers to develop a long-term pro-competitive reform agenda, and recognise the substantial changes in the Australian economy in past decades. Submissions close on 23 September 2024. 

Legislative updates 

18. Treasury Laws Amendment (Consumer Data Right) Bill 2022 receives royal assent 

Introduced to the Federal Parliament in November 2022, the Treasury Laws Amendment (Consumer Data Right) Bill 2022 (Bill) is set to be signed into law, after it was passed by both houses of Parliament on 15 August 2024 and received royal assent on 26 August 2024. The Bill amends the Consumer Data Right (CDR) regime in Part IVD of the Competition and Consumer Act 2010 (Act) to introduce ‘action initiation.’ This will enable CDR consumers to direct accredited persons to perform actions on their behalf, as opposed to under the current CDR regime, which largely deals with the data sharing of CDR consumer data.  

The existing CDR regime only applies to designated sectors subject to the CDR, which aims to give consumers greater control over their CDR data. Designated sectors, is defined in the Act at section 56AC, being a sector where the Minister has designated by legislative instrument. Examples of such designated sectors are the banking and energy sectors, designated by the Consumer Data Right (Authorised Deposit-Taking Institutions) Designation 2019 and the Consumer Data Right (Energy Sector) Designation 2020 respectively. 

The major amendments proposed by the Bill relate to CDR consumers’ ability to request accredited persons to give instructions on their behalf to service providers (such as a bank or energy retailer) for the performance of various actions. These actions include making a payment, opening and closing an account, switching providers and updating a CDR consumer’s personal details. The amendments give consumers greater autonomy, by expanding the CDR from a pure data sharing scheme to a scheme that allows consumers to act on CDR information they receive. For example, CDR data provided to consumers regarding energy providers may assist in informing consumers on whether they would be better suited to another provider. The CDR Rules and Standards underpinning this Bill are still awaited. 

If you found this insight article useful and you would like to subscribe to Gadens’ updates, click here.

Authored by:
Sinead Lynch, Partner
Caroline Ord, Partner
Matthew Bode, Partner
Kelly Griffiths, Partner
Michael Kenny, Partner
Daniel Maroske, Partner
Kate Mills, Partner
Anna Fanelli, Senior Associate
Tehlyn Murray, Associate
Chris Girardi, Lawyer
Raymond Huang, Lawyer
Wen Wong, Lawyer
Lucy Hardyman, Lawyer
Matt Schwab, Lawyer
Fiona Ng, Lawyer
Monica Baur, Lawyer
Bronte Anderson, Lawyer
Steven Schwartz, Lawyer
Kartia Bouras, Lawyer
Isabella Parsons, Graduate
Rose Hou, Paralegal