Regulatory Framework

Regulatory authorities

  1. What national authorities regulate the provision of financial products and services?

The Australian Securities and Investments Commission (ASIC) is Australia’s primary corporate, markets, financial services and consumer credit regulator. It is responsible for regulating consumer protection and maintaining market integrity within the financial system.

The Australian Prudential Regulation Authority (APRA) is concerned with maintaining the safety and soundness of financial institutions and is tasked with protecting the interests of depositors, policyholders and superannuation fund members.

The Reserve Bank of Australia (RBA) is Australia’s central bank and provides a range of banking services to the Australian government and its agencies, overseas central banks and official institutions. It is also responsible for maintaining the stability of the financial system through monetary policy and regulating payment systems.

Throughout 2018, the Australian government undertook the Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry (the Royal Commission). The Royal Commission released its final report in February 2019. The findings of the Royal Commission have, and will continue to have, a significant effect on the financial services industry. The Royal Commission found that widespread misconduct has occurred across the financial services industry, and as a result there has been a marked decrease in consumer trust in incumbent institutions and their ability to prioritise consumers and protect consumer data. The Royal Commission also criticised corporate regulators for their lack of action in response to misconduct, often leaving misconduct unpunished or imposing penalties that were insufficiently harsh to act as a deterrent for similar future behaviour. The Royal Commission made 76 recommendations, with the Australian government pledging to implement all of the recommendations. Over the past two years, this has manifested through the broadening of powers and jurisdiction of regulators and a more active approach to enforcement.

  1. What activities does each national financial services authority regulate?

ASIC supervises the conduct and regulation of Australian companies, financial markets, financial services providers and professionals who deal and advise in investments, superannuation, insurance, non-cash payments, deposit taking, credit products and crowd-sourced funding services. ASIC is entrusted with the following responsibilities:

  • As the financial services regulator, ASIC licenses and monitors financial services providers to ensure that they operate efficiently, honestly and fairly.

  • As the consumer credit regulator, ASIC licenses and regulates entities engaging in consumer credit activities including banks, credit unions, finance companies, and mortgage and finance brokers.

  • As the markets regulator, ASIC assesses how effectively authorised financial market operators are complying with their legal obligations to operate fair and transparent markets, and advises Parliament regarding new markets.

ASIC also has general administration over company fundraising through the issue or sale of financial products in Australia. It supervises and enforces disclosure requirements to retail investors for companies issuing and selling financial products.

APRA oversees authorised deposit-taking institutions (ADIs) (eg, banks, building societies and credit unions), general insurers, life insurers, friendly societies, reinsurance companies and superannuation funds (other than self-managed funds). APRA is responsible for promoting financial stability in Australia.

The RBA conducts Australia’s monetary policy and issues its currency, as well as having responsibility for promoting the safety and efficiency of the payments system. While it does not supervise the prudential soundness of banks or other ADIs, it does have a role in maintaining the stability of the financial system as a whole.

  1. What products does each national financial services authority regulate?

ASIC’s regulatory framework covers a wide range of financial products offered in relation to the above activities, including securities, managed investment products, derivatives, general and life insurance, superannuation, margin lending, carbon units, deposit accounts and means of payment (eg, non-cash payment facilities).

APRA’s focus is on industry segments, rather than financial products. The products associated with these segments include banking products, insurance products and superannuation products.

The RBA’s focus is on Australia’s monetary policy, rather than financial products.

Authorisation regime

  1. What is the registration or authorisation regime applicable to financial services firms and authorised individuals associated with those firms? When is registration or authorisation necessary, and how is it effected?

A person who carries on a financial services business in Australia must hold an AFSL or otherwise be exempt from the requirement to be licensed. The Corporations Act 2001 (Cth) (Corporations Act), which is administered by ASIC, provides that a financial services business is taken to be carried on in Australia where, in the course of carrying on a business, a person engages in conduct that is intended to, or likely to, induce people in Australia to use the financial services they provide, whether or not the conduct is intended.

Broadly, financial services include providing financial product advice, dealing in financial products (as principal or agent), making a market for financial products, operating registered schemes, providing custodial or depository services, traditional trustee company services or crowdfunding services.

A financial product is a facility through which, or through the acquisition of which, a person makes a financial investment, manages financial risk or makes non-cash payments. Examples of financial products include securities (eg, shares and debentures), interests in managed investment schemes (eg, units in a unit trust), payment products (eg, deposit products and non-cash payment facilities), derivatives, superannuation interests, margin lending facilities and foreign exchange contracts.

The definitions of financial products and services under the Corporations Act are very broad and will often capture investment and advisory activities, wealth management products and services, market making, financial markets and crowdfunding services. Effecting or arranging dealings in financial products (as principal or agent) may also trigger the requirement to hold an AFSL, if such activities are conducted in the course of carrying on a financial services business in Australia.

A financial services provider must be granted an AFSL by ASIC (or otherwise be exempt) prior to providing financial services in Australia. AFSLs are granted after a detailed assessment by ASIC of the provider’s business in relation to the financial services it intends to provide, its ability to meet financial and organisational competence requirements and its overall ability to comply with financial services laws.

The ACL regime applies to persons who engage in consumer credit activities in Australia, such as providing credit under a credit contract or consumer lease. Any person engaging in consumer credit activities must hold an ACL, or otherwise be exempt from the requirement to hold an ACL. Consumer credit activity is regulated by ASIC under the National Consumer Credit Protection Act 2009 (Cth) (National Credit Act) and associated regulations.

The credit licensing process involves ASIC assessing the types of credit activities proposed to be engaged in under the ACL, the ability to comply with National Credit Act obligations and representatives of the licensee for the purpose of it conducting credit activities.

An entity that conducts any ‘banking business’ such as taking deposits (other than as part-payment for identified goods or services) and making advances of money must be authorised as an ADI. APRA is responsible for the authorisation process and granting of ADI licences (as well as ongoing prudential supervision). In 2018, APRA released the Restricted ADI framework, which is designed to assist new businesses to enter the banking industry. Eligible entities can seek a Restricted ADI licence, allowing them to conduct a limited range of business activities for two years while they build their capabilities and resources. After such time, they must either transition to a full ADI licence or exit the industry.

Financial services providers may also need to hold an AML where they operate a facility through which offers to buy and sell financial products are regularly made and accepted (eg, an exchange). ASIC will only grant an exemption from the requirement to hold an AML if they consider the regulatory outcomes of market licensing are not relevant to the market venue, can be achieved without regulation under the AML regime or impose costs that significantly outweigh the benefits of those outcomes.

There is currently a two-tier licence system in place in relation to financial markets:

  • Tier 1 is designed to facilitate oversight of traditional market models and significant non-exchanges. These include market venues that are, or are expected to become, significant to the Australian economy or to the efficiency, integrity and investor confidence in the financial system.

  • Tier 2 applies to most other licensed market venues. This second tier of licences is specifically targeted at specialised and emerging market venues, and designed to facilitate reduced regulatory oversight and a reduced regulatory burden for lower risk financial markets.

A person who operates a facility that clears and settles transactions (ie, enables counterparties to meet their transaction obligations to each other) in financial products will require a CS facility licence or be exempt from holding one. Both ASIC and the RBA are responsible for the super- vision of operators of CS facilities and their participants. Registerable superannuation entity (RSE) licence Under the Superannuation Industry (Supervision) Act 1993 (Cth) (SIS Act), if an entity intends to operate as an RSE trustee, they must hold an RSE licence issued by APRA. RSEs do not include exempt public sector superannuation schemes or self- managed superannuation funds regulated by the Australian Taxation Office. There are four classes of RSE licence: public offer entity licence, non-public offer entity licence, extended public offer entity licence, and acting trustee licence.

RSE licensees must comply with a number of ongoing non- exhaustive requirements under the SIS Act. These obligations include complying with the RSE licensing obligations, notifying APRA of any significant breaches, or likely breaches, of a prudential requirement within 10 days of becoming aware of the breach, and registering each superannuation entity for which it intends to be an RSE licensee. APRA may cancel an RSE licence if it has reason to believe the licensee will breach a licence condition.

Under the Insurance Act 1973 (Cth) (Insurance Act), it is an offence for an entity to conduct an insurance business in Australia without obtaining a general insurance licence from APRA. The Insurance Act defines ‘insurance business’ as the business of undertaking liability by way of insurance (including reinsurance) in respect of any loss or damage. The liability is contingent upon the occurrence of a specified event, and any business incidental to an insurance business.

The Insurance Act only allows corporations or underwriters to carry out insurance business in Australia, which means APRA will not consider applications from partnerships or unincorporated entities. Additionally, certain insurance business activities do not come within the definition of ‘insurance business’, such as life insurance, health insurance or the provisions of benefits for funeral services.

  1. What statute or other legal basis is the source of each regulatory authority’s jurisdiction?

What statute or other legal basis is the source of each regulatory authority’s jurisdiction?

ASIC is established under the Australian Securities and Investments Commission Act 2001 (Cth) (ASIC Act), and regulates financial services in Australia under the Corporations Act. ASIC also has enforcement powers under the Corporations Act and the National Credit Act.

APRA is established under the Australian Prudential Regulation Authority Act 1998 (Cth), and administers the Banking Act 1969 (Cth) (Banking Act), the Insurance Act, the Life Insurance Act 1995 (Cth) and the SIS Act.

  1. What principal laws and financial service authority rules apply to the activities of financial services firms and their associated persons?

The Corporations Act and the Corporations Regulations 2001 (Cth) are the primary laws that regulate the conduct and disclosure obligations of financial services providers. These laws are predominantly administered by ASIC, with the remit of maintaining, facilitating and improving the performance of the financial system and promoting informed participation by investors and consumers. ASIC sets out its approach to regulation through the publication of regulatory guides (RGs).

Additionally, ASIC sets out obligations for individuals to report to ASIC certain breaches of the law. AFSL holders must notify ASIC in writing if there has been a ‘significant’ breach, or likely significant breach, of their obligations under the Corporations Act, as soon as practicable, and in any event within 10 business days of becoming aware of the breach or likely breach. Relevant factors that determine whether a breach is ‘significant’ include the frequency of similar previous breaches, the impact of the breach on the licensee’s ability to provide financial services, actual or potential loss arising from the breach and the extent to which the breach indicates the licensee’s arrangements to ensure compliance with those obligations is inadequate.

The provisions of the Banking Act empower APRA to regulate ADIs (banks, building societies and credit unions) under a single licensing regime and develop prudential policies that balance financial safety and efficiency, competition, contestability and competitive neutrality.

Entities that conduct any ‘banking business’ such as taking deposits (other than as part-payment for identified goods or services) and making advances of money must be licensed as an ADI. The Restricted ADI framework allows new businesses entering the banking industry to conduct a limited range of business activities for two years, before either transitioning into a full ADI or exiting the industry.

The Financial Sector (Collection of Data) Act 2001 (Cth) (FSCODA) allows APRA to collect data from registrable financial corporations and facilitates the collection of statistical data. Under FSCODA, an entity will broadly be a registrable corporation if it engages in the provision of finance in the course of carrying on business in Australia.

Corporations specifically excluded from being registrable under FSCODA include banks, building societies, credit unions, public authorities, friendly or benefit societies, insurance companies and companies authorised by law to act as an executor, administrator and trustee. Additionally, an entity is not a registrable corporation for the purposes of FSCODA if:

  • its assets in Australia, consisting of debts due to the corporation resulting from transactions entered into in the course of provision of finance by the corporation, do not exceed A$50 million in aggregate value; and

  • the principal amounts outstanding on loans or other financing, as entered into in a financial year, do not exceed A $50 million in aggregate value.

Entities that fall within the registrable corporations requirement have a number of obligations under the FSCODA.

Entities must provide APRA with relevant documentation within 60 days of becoming a registrable corporation or face a potential fine of A$11,100 for every day of non-compliance. Similarly, entities must inform APRA within 60 days of any change of name or registered address, or change in principal methods of borrowing or lending. Entities that fail to do so may be subject to a potential fine of A$2,220 for every day of non-compliance.

Registered corporations are also required to appoint an auditor and audit the corporation to ensure it fulfils its responsibilities in accordance with reporting standards.

Most financial services businesses also have obligations under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF Act) and the Anti-Money Laundering and Counter-Terrorism Financing Rules Instrument 2007 (No. 1) (AML/CTF Rules). These laws are administered by the Australian Transaction Reports and Analysis Centre (AUSTRAC) and apply to entities that provide any ‘designated service’ that has the potential to facilitate money laundering or terrorism financing (eg, by factoring a receivable, providing a loan, or issuing or selling securities). Entities that provide designated services are known as ‘reporting entities’ and are required to enrol with AUSTRAC, conduct customer due diligence on customers prior to providing any designated services and adopt and maintain an anti-money laundering and counter-terrorism financing (AML/CTF) programme. Reporting entities also have numerous reporting obligations such as:

  • threshold transaction reports;

  • international funds transfer instruction reports;

  • suspicious matter reports;

  • cross-border movement reports; and

  • AML/CTF compliance reports.

Entities that wish to provide designated remittance services (ie act as a remitter) also need to register with AUSTRAC as a remitter prior to providing such services.

Businesses providing goods or services in Australia are also subject to the key conduct prohibitions set out in Australian Consumer Law (set out in the Competition and Consumer Act 2010 (Cth)), which is enforced by the Australian Competition and Consumer Commission (ACCC). Broadly, these include prohibitions on misleading and deceptive conduct, false or misleading representations, unconscionable conduct and unfair contract terms. While the Australian Consumer Law does not apply to financial products and services, these consumer protections are enforced by ASIC either through similar provisions in the ASIC Act or also by delegated power from the ACCC (eg, taking action on misleading or deceptive conduct with respect to initial coin offerings).

Scope of regulation

  1. What are the main areas of regulation for each type of regulated financial services provider and product?

The main areas of regulation and supervision administered by ASIC under the Corporations Act are licensing, disclosure and registration. Under the ASIC Act, ASIC also enforces consumer protection provisions in a financial services context, including prohibiting misleading and deceptive conduct in the provision of financial services.

APRA is the prudential regulator of the financial services industry that licenses and supervises banking, insurance and superannuation businesses to ensure that under all reasonable circumstances, the financial promises made to their beneficiaries are kept.

The RBA provides a range of banking services to the Australian government and its agencies, overseas central banks and official institutions. It is also responsible for maintaining the stability of the financial system through monetary policy and regulating payment systems.

Financial services providers may also be subject to AML/CTF requirements.

Additional requirements

  1. What additional requirements apply to financial services firms and authorised persons, such as those imposed by self- regulatory bodies, designated professional bodies or other financial services organisations?

Financial services providers that provide financial services to retail clients in Australia must be a member of the Australian Financial Complaints Authority (AFCA). AFCA is a single external dispute resolution scheme for the financial services industry that replaced the Financial Ombudsman Service, the Credit and Investments Ombudsman and Superannuation Complaints Tribunal in late 2018. Its primary responsibility is to resolve consumer complaints regarding financial providers and it can also make decisions that bind these providers.

Financial services providers may also be regulated under the Privacy Act 1988 (Cth) (Privacy Act), including the 13 Australian Privacy Principles, which impose obligations on the collection, use, disclosure, retention and destruction of personal information. In the event of a data breach, entities regulated under the Privacy Act are required to notify any affected individuals and the Office of the Australian Information Commissioner where such a breach is likely to result in serious harm to those individuals.

Financial services providers may also be subject to AML/CTF requirements or have obligations under the Australian Consumer Law.

Enforcement 

Investigatory powers

  1. What powers do national financial services authorities have to examine and investigate compliance? What enforcement powers do they have for compliance breaches? How is compliance examined and enforced in practice?

The Australian Securities and Investments Commission (ASIC) has very broad powers to take action to regulate the financial services industry. Financial services providers have an obligation to keep ASIC informed of any significant breaches of its obligations or the law. However, where ASIC has reason to suspect there has been a potential breach, it has wide investigative powers to require a person or entity to provide documents, information and attend an examination, inspect documents, compel assistance with an investigation and apply for a search warrant. ASIC will consider a range of factors in deciding whether to take enforcement action. Enforcement may take the form of an adverse publicity order, public warning, infringement notice, enforceable undertaking, banning orders or disqualification of persons from managing corporations.

ASIC also has the ability to commence court proceedings against persons or entities, including obtaining injunctive relief, civil or criminal prosecution. Further, the Treasury Laws Amendment (Design and Distribution Obligations and Product Intervention Powers) Act 2019 (Cth) (DDO/PIP Act) was passed In April 2019 and has introduced a product intervention power for ASIC in relation to financial products that are issued and distributed to retail clients, including the ability to issue a stop order in relation to the issue of a product, or other enforcement action. The DDO/PIP Act amended the Corporations Act, National Credit Act and ASIC Act to provide ASIC the power to prevent or respond to significant consumer detriment in respect of certain financial products and credit products by making public intervention orders. Relevant factors to consider when determining whether risk of detriment is ‘significant’ include the nature and extent of the detriment (eg, whether any actual or potential financial loss is suffered) as well as the impact that the detriment has had, will have or is likely to have, on consumers. ASIC recently released Regulatory Guide 274: Product design and distribution obligations in December 2020 following industry consultation setting out its approach to regulation in this area.

The Australian Prudential Regulation Authority (APRA) has broad powers to take enforcement action against uncooperative institutions (including associated persons). This may include taking control of the entity, effecting a restructure or exit from the industry. APRA may undertake a formal investigation into the affairs of an institution, with enforcement including imposing additional conditions imposed on an institution’s licence, disqualification of individuals, restraining orders, enforceable undertakings, or criminal prosecution.

A key finding from the Royal Commission was that regulators had failed to take appropriate enforcement action in response to known compliance issues. Since these findings, the financial services industry has experienced more proactive and firmer action by regulators, which is likely to continue in the future.

AUSTRAC may pursue a wide range of enforcement sanctions under the AML/CTF Act. These include imposing civil and criminal penalties (which can be significant in value), accepting enforceable undertakings, issuing infringement notices, giving remedial directions, and cancelling or suspending registrations of digital currency exchange providers and designated remittance services. AUSTRAC typically examines compliance through industry-wide or reporting-entity-specific surveillance, and utilises its cooperative enforcement powers (eg, enforceable undertakings, required compliance reviews). However, over the past few years AUSTRAC has become more active in pursuing civil and criminal penalties.

In September 2020, a major Australian bank agreed to pay a civil penalty of A$1.3 billion, which is the largest civil penalty fine in Australian corporate history, for breaching money laundering laws after AUSTRAC applied for civil penalty orders against the bank in November 2019 for contravening the AML/CTF Act on over 23 million occasions. It was reported that the breaches were largely a result of failures in the bank’s compliance and risk management practices and controls to properly report international money transfers.

Disciplinary powers

  1. What are the powers of national financial services authorities to discipline or punish infractions? Which other bodies are responsible for criminal enforcement relating to compliance violations?

There are a range of other bodies that are responsible for compliance enforcement, depending on the law that has been contravened.

ASIC may pursue a variety of enforcement remedies, depending on the seriousness and consequences of the misconduct. These remedies include imposing criminal sanctions (eg, imprisonment or financial penalties, or both), civil penalties and revocation, suspending or varying a licence. APRA may also pursue criminal action against persons or institutions that are unwilling or unable to cooperate.

Additionally, the OAIC is responsible for investigating and taking appropriate enforcement action against contraventions of the Privacy Act and associated data and privacy obligations. Similarly, the ACCC has the power to investigate and take enforcement action for contraventions of the Competition and Consumer Act 2010 (Cth).

Historically, criminal cases under the Corporations Act were required to be brought in state courts and not at the federal level, with the Royal Commission finding that ASIC primarily instigates criminal proceedings in the financial services sector against individuals. Therefore, any criminal prosecutions for misconduct by banks and other financial institutions were heard in state courts only and subsequently competed with state cases for resources and scheduling. However, in early 2019, the Australian government broadened the jurisdiction of the Federal Court to include corporate crime on the basis that it may be able to manage cases faster and more efficiently than state courts. This also saw the appointment of two additional judges, 11 registry and support staff, and the construction of new courts to facilitate the anticipated increased case load.

Tribunals

  1. What tribunals adjudicate financial services criminal and civil infractions?

AFCA resolves disputes between consumers and financial services providers and may require a financial services firm to pay compensation, release security over a debt or reinstate, rectify or properly perform a contract. AFCA’s jurisdiction in adjudicating disputes between consumers and financial services firms is up to A$1 million per dispute. The monetary limit on awards the AFCA can make is A$500,000 per claim for consumers and A$1,000,000 for small businesses.

The Administrative Appeals Tribunal (AAT) is an independent body that adjudicates civil financial services infractions by conducting a merits review of administrative decisions of corporation and financial services regulation. The AAT has the power to affirm, vary, set aside or remit a decision.

Criminal infractions are adjudicated in Australian courts only.

Penalties

  1. What are typical sanctions imposed against firms and individuals for violations? Are settlements common?

While the court is never obliged to give effect to agreed settlements, it will always consider whether settlements are appropriate on the basis of materials provided by the parties and the contents of any agreed statement of facts.

Historically, ASIC has demonstrated a willingness for settlements as a way to reach cheaper, faster and more certain outcomes in most disputes. For ASIC, they can accept an enforceable undertaking and issue a media release, while the other party is able to avoid litigation and continue business operations. ASIC has also entered into settlement agreements with various banking institutions that provide for compensation to be payable to affected customers for losses suffered.

Despite ASIC’s willingness to reach settlement agreements, the Royal Commission questioned this approach and made comments that ASIC had been too prepared to avoid compulsory enforcement action and instead attempt to settle all disputes by agreement, with such an approach often leaving facts unestablished in court and not challenging the effectiveness of the law. Since the release of the Royal Commission findings ASIC has adopted a ‘why not litigate?’ approach, which has seen a significant increase in commenced proceedings, primarily against large financial institutions, throughout 2019 and 2020.

Compliance Programmes

Programme requirements

  1. What requirements exist concerning the nature and content of compliance and supervisory programmes for each type of regulated entity?

The nature and content of compliance varies depending on the activities in which the entity is engaged.

Australian financial services licence (AFSL) holders have general obligations that must be complied with under the Corporations Act. These obligations include ensuring financial services are provided efficiently, honestly and fairly, managing conflicts of interest, complying with licensing conditions and financial services laws, carrying out supervisory arrangements, maintaining a dispute resolution system for retail clients and ensuring representatives of the licence are adequately trained and competent.

The extent of a licensee’s obligations is determined by the nature, scale and complexity of the business. Relevant factors include the products and services offered, volume and size of the transactions, number and type of clients (wholesale or retail), the diversity and struc- ture of the operations, size of the organisation and whether financial services is a core provision of the business. It is crucial that licensees have adequate processes, procedures or arrangements that cover all obligations, including general obligations, licensing conditions and any applicable financial services law.

Additionally, licensees must have adequate risk management systems in place on an ongoing basis to identify, evaluate and mitigate potential risks to an acceptable minimum. Risk management systems must be based on a structured and systematic process that take into account a licensee’s obligations.

Australian credit licensees must comply with general obligations that aim to ensure businesses are operated properly. In addition to these, licensees must also adhere to more specific obligations and regulations, which include:

  • responsible lending requirements that ascertain and verify whether a consumer’s financial situation and assess whether the credit contract is suitable;

  • requirements in the National Credit Code dealing with precontractual disclosure and conduct in relation to the terms of credit contracts and consumer leases; and

  • maintaining trust accounts.

Credit licensees must also lodge an annual compliance certificate with the Australian Securities and Investments Commission (ASIC) to certify that their obligations as a licensee have been complied with.

Market licensees must ensure continuous compliance with their licensing obligations and report on the extent of their compliance annually. Relevant factors for ensuring compliance include:

  • monitoring and assessing to identify actual or potential breaches;

  • ensuring the market is fair, orderly and transparent;

  • closely supervising the market to handle conflicts of interest, monitor conduct of participants and trading activity; and

  • dealing with suspected breaches.

CS facility licensees must comply with a number of general obligations under the Corporations Act. These obligations include complying with the Reserve Bank of Australia (RBA)’s financial stability standards, reducing systemic risk, providing services in a fair and effective manner, complying with licensing conditions, ensuring adequate arrangements are in place for handling conflicts of interest and enforcing compliance with the facility’s operating rules, and having sufficient resources to operate supervisory arrangements. It is important for CS facility licensees to report to ASIC and RBA at least annually on whether these licence obligations are being satisfied.

ADI licence holders have a number of ongoing obligations. These include ensuring that their risk management and internal control systems are adequate and appropriate for monitoring and mitigating risk, satisfying requirements of the composition and functioning of the board and ensuring people in key positions of the ADI are fit and proper.

Gatekeepers

  1. How important are gatekeepers in the regulatory structure?

Gatekeepers play a crucial role in the overall operation of the Australian financial system. Although the roles and responsibilities of gatekeepers in the financial services industry are governed by ASIC, the system is ‘self-executing’. ASIC expects gatekeepers to act professionally and treat investors fairly, maintain effective risk management and internal supervision, and ensure investors are fully compensated when losses result from poor conduct. Within the financial services system, the key gatekeepers include directors, financial planners and financial advisers, custodians, research houses, auditors, trustees and responsible entities. Directors and company officers function as the primary gate- keepers in maintaining the integrity of financial markets and upholding regulatory obligations. Companies are expected to have strong internal auditing and compliance functions, and directors are expected to drive a strong culture of compliance within their organisation. ASIC closely monitors gatekeeper conduct and holds directors to account for failure to properly execute their obligations. It is important for companies to have proper internal processes for handling revelations from whistle- blowers, train staff on company conduct and obligations, and periodically check on the effectiveness of compliance policies and regulatory requirements, including identifying, escalating and reporting breaches to ASIC.

ASIC has overall responsibility for the surveillance, investigation

and enforcement of the financial reporting and auditing requirements of the Corporations Act. Internal auditors must maintain independence from the audit committee or board of directors in order to form a true and fair opinion about whether the financial report complies with the accounting standard. Directors must not rely on the auditor when forming their own opinion on the financial report and ensure the company has its own system, processes, controls and resources to produce high-quality financial reports.

Such gatekeepers are also coming under greater scrutiny in the banking industry, including with the introduction of the Banking Executive Accountability Regime (BEAR) (contained in the Banking Act). Administered by APRA, BEAR imposes increased accountability obligations on senior executives and directors of ADIs in relation to their specific roles within the organisation as it relates to compliance with laws and notification of non-compliance.

Directors' duties and liability

  1. What are the duties of directors and senior managers, and what standard of care applies to the boards of directors and senior managers of financial services firms?

Duties are imposed on directors under both general law and the Corporations Act. Among these duties, some of the most significant are:

  • to act in good faith in the best interests of the company and for a proper purpose;

  • to exercise care and diligence;

  • to avoid conflicts between the interests of the company and personal interests;

  • not to improperly use a position to gain a personal advantage, or to cause detriment to the company;

  • not to improperly misuse information;

  • to maintain proper financial and accounting records;

  • to prevent the company from trading while insolvent (ie, while it is unable to pay its debts as and when they fall due); and

  • if the company is being wound up, to report to the liquidator on the affairs of the company and provide assistance.

In addition, at common law and in equity, directors are regarded as fiduciaries and therefore owe a duty of care to their company. Directors are required to exercise their powers with the standard of care and diligence that a reasonable person would use in similar circumstances. There is no specified standard of care. However, when determining whether a duty has been breached, a court will have regard to factors such as the circumstances of the business, the responsibilities of the directors within the company, the outcomes of decisions and the foreseeable risk of harm associated with them.

Additional obligations apply to directors on the board of a responsible entity of a registered managed investment scheme. These duties include:

  • to act honestly and exercise the degree of care and diligence that a reasonable person would exercise in the position;

  • to act in the best interests of the members of the scheme;

  • not to improperly misuse information;

  • not to improperly use a position to gain a personal advantage or cause detriment to the members of the scheme; and

  • taking reasonable steps to ensure the responsible entity complies with licensing requirements and the scheme’s constitution and compliance plan.

AFSL holders also owe a number of statutory obligations under the Corporations Act in addition to complying with licensing conditions and financial services laws and ensuring their representatives also comply with their obligations. These obligations include taking all reasonable steps to ensure financial services are provided efficiently, act honestly and fairly, managing conflicts of interest and maintaining the resources and competence to provide the services. If an AFSL holder’s clients include retail clients, there must be an internal dispute resolution system and also appropriate compensation arrangements in place, as well as a duty to act in the best interests of their clients and prioritise their clients’ interests if personal advice is being provided by the licensee.

The Banking Executive Accountability Regime (BEAR) (contained in the Banking Act 1959) creates accountability obligations for ADIs and their senior executives and directors (Accountable Persons). These obligations require accountable persons to take reasonable steps to:

  • act with honesty and integrity, and with due skill, care a diligence;

  • deal with APRA in an open, constructive and cooperative way; and

  • take reasonable steps in conducting their responsibilities as an Accountable Person to prevent matters from arising that would adversely affect the ADI’s prudential standing or prudential reputation.

Responsible managers are key individuals within a business and are thoroughly checked by ASIC to ensure that the AFSL holder is ‘competent’. Responsible managers must be of good fame and character, have the requisite skill and knowledge and be directly responsible for significant day-to-day decisions about the ongoing provision of financial services.

In 2019, ASIC amended information required for body corporates applying for an AFSL and now requires information about their ‘responsible officers’. ASIC must be satisfied that there is no reason to believe that any of the applicant’s responsible officers are not fit and proper persons. A responsible officer is defined as an officer of the AFSL applicant who would perform duties in connection with the holding of an AFSL. An officer includes a director or secretary of the applicant, a person who makes (or participates in making) decisions that affect all or a substantial part of the applicant’s business, a person in accordance with whose instructions the directors of the applicant are accustomed to act and extends to persons that control the AFSL holder or the officers of entities that control the AFSL holder. Responsible officers may also be responsible managers of the AFSL holder.

ASIC must also be satisfied that an individual is a ‘fit and proper person’ to engage in credit activities before an ACL can be granted. ASIC considers whether each of the people involved in managing a credit business are fit and proper people to perform that role. Relevant factors that determine a fit and proper person include competency, attributes of good character, conflicts of interest and any disqualification from the law.

  1. When are directors and senior managers typically held individually accountable for the activities of financial services firms?

Although a company has a distinct legal existence, directors may be held individually accountable under certain circumstances for any adverse outcomes deriving from activities of the firm. Key areas of potential personal liability include debts incurred when the company becomes insolvent due to insolvent trading, breach of director’s duties, guarantees over personal assets, illegal ‘phoenix’ activity involving the intentional transfer of assets from an indebted company to a new company to avoid tax obligations or debts incurred by companies acting as trustees.

Directors may also be held personally liable for breaches of other laws administered by other agencies, such as failing to satisfy a company’s tax obligations.

A director who fails to perform his or her duties may be guilty of a criminal offence with a penalty of up to a maximum of A$200,000 or imprisonment of up to five years, or both, be ordered to pay a civil financial penalty of up to A$200,000, be personally liable to compensate the company or others for any loss or damage they suffer, and be prohibited from managing a company.

Under the BEAR regime, variable remuneration payable to Accountable Persons of an ADI can be reduced where accountability obligations are not met and in serious cases of non-compliance with the accountability obligations, Accountable Persons may be disqualified from acting as an accountable person of an ADI.

Where a responsible manager or a senior manager of an AFSL holder acts solely in the capacity to maintain organisational competency, it is unlikely that they would be held personally liable unless they contributed to any breach, in which case they may be banned from acting as a responsible manager or be required to pay a fine. However, if a responsible manager or senior manager is also an employee providing financial advice or director of the licensee, he or she may be held personally liable if the advice breaches financials services laws or where the director’s duties (discussed above) are breached.

Private rights of action

  1. Do private rights of action apply to violations of national financial services authority rules and regulations?

Private rights of civil action apply to violations in certain circumstances, including for a breach of a statutory duty under the Corporations Act, a breach of the common law, breach of contract or breach of fiduciary duty. To establish that there was a breach of a statutory duty, a claimant bringing a private action must first prove that a duty of care was owed, the duty was breached, the breach caused the claimant to suffer an injury and the damage was a foreseeable consequence of the breach of the duty.

Standard of care for customers

  1. What is the standard of care that applies to each type of financial services firm and authorised person when dealing with retail customers?

Financial services providers are required to provide financial services in a way that is fair, efficient and honest. This standard applies to the provision of all financial services, regardless of the sophistication or experience of clients. Higher standards apply to financial services that are provided to retail clients. Financial services providers that provide personal financial product advice to retail clients have a further obligation to act in the best interests of such clients, and prioritise client needs over the provider’s own.

  1. Does the standard of care differ based on the sophistication of the customer or counterparty?

The Corporations Act distinguishes between retail and wholesale clients, with all clients assumed to be retail unless they satisfy one of the wholesale categories. The wholesale categories include (among others) clients with a gross annual income of A$250,000 or more in each of the previous two years or net assets of at least A$2.5 million.

Under the Corporations Act, retail investors are afforded greater consumer protections than a ‘sophisticated investor’. Sophisticated investors are expected to have a greater level of knowledge and, to a degree, to be able to look after their own interests to a greater extent as compared with retail investors.

On the other hand, firms providing financial services to retail clients must adhere to certain conduct and disclosure obligations. These obligations are designed to ensure retail clients receive good quality advice and are able to make informed decisions on that advice. Generally, a financial services firm must provide various disclosure documents before issuing a financial product to retail clients. This includes a financial services guide (disclosing what service the client receives), a statement of advice (disclosing what personal advice has been given considering the client’s circumstances) and a product disclosure statement (PDS) (disclosing what the financial product the client is buying), as well as information regarding compensation and complaint handling arrangements.

ASIC has published guidance for issuers of certain superannuation products and managed investment products issued to retail clients, which are required to make fee disclosures. Broadly, the enhanced fee disclosure regulations require an issuer to issue a PDS, describe certain transactions in periodic statements, disclose indirect costs and disclose the sum of all fees and costs. Notably, this guidance has recently been updated by ASIC, following industry feedback to help ensure fees and costs disclosure is practicable for industry while being informative for consumers.

Rule making

  1. How are rules that affect the financial services industry adopted? Is there a consultation process?

Rules that affect the financial services industry in Australia include federal legislation and associated regulations, regulator-specific rules, regulatory guidance and class orders. Much of the applicable legislation allows regulators to vary its effect on industry participants (including relief) through the use of RGs and class orders.

The adoption process varies depending on the nature of the rules or regulations being implemented or changed. Consultation processes will generally be undertaken with industry participants in relation to variations that will significantly alter the current regulatory framework. ASIC issues consultation papers seeking feedback from stakeholders on matters it is considering. These consultation papers outline ASIC’s proposals and questions for public consultation (eg, whether or not they agree with ASIC’s proposals and supporting reasons). Based on the public comments received from submissions to ASIC, ASIC decides whether or not to implement the changes to the relevant rules.

Cross-border regulation

  1. How do national financial services authorities approach cross-border issues?

The Corporations Act applies, according to its tenor, in relation to acts and omissions both in Australia and outside of the jurisdiction. Further, each provision is taken to apply, according to its tenor, to all natural persons (whether resident in Australia or not, and whether Australian citizens or not) and all bodies corporate and unincorporated bodies (whether formed or carrying on business in Australia or not). Therefore, the Corporations Act may apply in certain circumstances to corporations not having a nationality or territorial connection to Australia and corporations having a territorial connection to Australia where the conduct in question has not occurred in Australia. Financial services authorities have exercised investigative and enforcement rights arising in the context of this broad application. That is, simply adhering to obligations in Australia while engaging in misconduct in another jurisdiction will not necessarily excuse an entity from the ambit of the Corporations Act.

For financial services authorities, a relevant question is whether they are carrying on business in Australia.

If an offshore entity satisfies the definition of a ‘foreign company’ under the Corporations Act (ie, broadly, it is a company registered outside Australia), it must be registered with the Australian Securities and Investments Commission (ASIC) as a foreign company to carry on business in Australia.

Whether a body is ‘carrying on a business in Australia’ will depend on certain legal principles and the circumstances. An entity will be deemed to be carrying on a business in Australia if it has a place of business in Australia, establishes or uses a share transfer office or share registration office in Australia or administers, manages or otherwise deals with property situated in Australia as an agent, legal representative or trustee. Generally, the greater the level of system, repetition and continuity associated with an entity’s business activities in Australia, the greater the likelihood that those activities amount to ‘carrying on a business’ in Australia. For example, an insignificant and one-off transaction is arguably not indicative of a business being carried on in Australia. However, a number of small transactions occurring regularly, or a large and one-off transaction, may amount to carrying on a business.

As discussed above, whether an entity carries on a financial services business in Australia is a question of whether it intended to induce Australian consumers to access or receive the financial services it provides. This means the financial services regulatory regime may still apply even where that service is provided offshore.

International standards

  1. What role does international standard setting play in the rules and standards implemented in your jurisdiction?

Generally, Australia intends to implement most international standards and plays an active role in the setting of such standards. For example:

  • the Reserve Bank of Australia (RBA) is a member of the Financial Stability Board;

  • the RBA and Australian Prudential Regulation Authority (APRA) are members of the Basel Committee on Banking and Supervision;

  • AUSTRAC plays a key role in the Financial Action Task Force, Egmont Group of Financial Intelligence Units and the Asia/Pacific Group on Money Laundering; and

  • ASIC is a member of the International Organization of Securities Commissions.

Updates and Trends

Key developments of the past year

  1. Are there any other current developments or emerging trends that should be noted?

The implementation of recommendations coming out of the Royal Commission has witnessed a shift in power and approach by various regulators regarding how they intend to regulate the market. Notably, the Australian Securities and Investments Commission (ASIC)’s ‘why not litigate?’ approach to enforcement will set new standards regarding the regulator’s expectation of compliance by financial services firms, as the Treasury Laws Amendment (Design and Distribution Obligations and Product Intervention Powers) Act 2019 (DDO/PIP Act) gives ASIC a greater ability to intervene in financial product offerings where the regulator anticipates they are likely to result in significant detriment to clients. Additionally, a number of legislative changes have been enacted or are in various stages of implementation or consultation as a result of the recommendations of the Royal Commission which, principally, strengthen the protections afforded to clients of financial services businesses in Australia. The Council of Financial Regulators (comprising representatives from the Australian Prudential Regulation Authority, ASIC, Reserve Bank of Australia and the Australian government Treasury) has released a Cyber Operational Resilience Intelligence-led Exercises (CORIE) framework to test and demonstrate the cyber maturity and resilience of institutions within the Australian financial services industry. The CORIE framework has been developed to aid preparation and execution of industry-wide cyber resilience exercises. A key objective of the CORIE framework is to provide data and reporting to inform relevant Australian regulators of systemic weaknesses that may present a risk to the integrity and stability of Australian financial markets. The framework also aims to identify actions to uplift the cyber resilience of financial institutions.

Other than the above, the key developments of the past year have largely been in response to the covid-19 pandemic.

  1. What emergency legislation, relief programmes and other initiatives specific to your practice area has your state implemented to address the pandemic? Have any existing government programmes, laws or regulations been amended to address these concerns? What best practices are advisable for clients?

In March 2020, ASIC announced that in coordination with the CFR, it would focus its regulatory efforts on challenges created by the covid-19 pandemic. It stated that it would prioritise areas where there is the risk of significant consumer harm, serious breaches of the law, risks to market integrity and time-critical matters. Similarly, APRA announced it was placing a very high priority weighting on maintaining resilience within the financial system, including covid-19-related scenario and response planning. This has involved actively contacting financial institutions to test their pandemic planning and response.

In response to a government measure allowing early access to a portion of superannuation in limited circumstances for those adversely financially affected by covid-19, ASIC provided temporary relief to allow financial advice providers not to give a Statement of Advice to clients when giving advice about early access to superannuation.

ASIC also extended the deadline for both listed and unlisted entities to lodge financial reports under the Corporations Act by one month for certain balance dates up to and including 7 January 2021. ASIC noted that the extended deadlines for lodgement will assist those entities whose reporting processes take additional time due to current remote work arrangements, travel restrictions and other impacts of the covid-19 pandemic.

Australian states and territories introduced temporary relief permitting electronic signing and remote witnessing, or in some cases not requiring witnessing of deeds, which was generally accepted as not allowed under law prior to the pandemic. While these remain in place, the relief is currently temporary and it is unclear whether these law changes will be permanently adopted.