In this edition of Gilbert + Tobin’s Financial Services Regulation Newsletter, we focus on key legal developments over the last fortnight.
Contents
On the pulse
Extending the small business responsible lending obligations exemption - see consultation .
ASIC sues ASX for alleged misleading statements - see media release .
A guide to ‘good’: delivering better retirement outcomes and member services for Australians - see speech .
APRA shares further insights on common cyber control weaknesses - see letter .
APRA Deputy Chair Margaret Cole - Speech to the Conexus Retirement Conference - see speech .
APRA imposes additional licence conditions on the trustees for Cbus and BUSSQ - see media release .
ASIC Financial advice update - see media release .
APRA lifts N.M. Super’s additional licence conditions - see media release .
AICD and AISA publish cyber security governance guidance for directors of small businesses and not-for-profits - see media release .
ACCC proposes to allow collaboration in the cash in transit industry - see media release .
ASIC's first greenwashing case $11.3 million penalty: ASIC v Mercer [2024] FCA 850 .
Cryptocurrency assets are property: ASIC v NGS Crypto Pty Ltd (No 3) [2024] FCA 822 .
G+T Insight - Spotlight on greenwashing: Aussie court decision’s potential impact on global private equity managers and their investors - Rob Newham and Luke Barrett (14 August 2024).
G+T Insight - The Privacy Act reform bill - is August the month that it will happen? - Melissa Fai and Dal Lim (9 August 2024).
G+T Insight - Regulatory Rumblings - Quarterly Update July 2024 - Elizabeth Hilliard and Sarah Martin (9 August 2024).
G+T Insight - Landmark Federal Court penalty for ASIC greenwashing proceeding - Jeremy Jose and Luke Barrett (6 August 2024).
G+T Insight - Regulators turning up the heat on super funds and retirement incomes - Luke Barrett (2 August 2024).
Legislation and proposed legislation
Extending the small business responsible lending obligations exemption
The government has released the Treasury Laws Amendment Instrument 2024: Small Business Exemption for public comment. Submissions closed on 19 August.
This draft regulation proposes extending a current exemption that allows small business loans to be free from responsible lending obligations, provided there is a genuine business purpose. Initially set to expire on 3 October 2024, the exemption would be extended for two more years, until 3 October 2026.
See Consultation
Australian Securities & Investments Commission (ASIC)
ASIC sues ASX for alleged misleading statements
ASIC has initiated Federal Court proceedings against ASX Limited for allegedly making misleading statements about its CHESS replacement project.
ASIC claims that ASX's announcements on 10 February 2022, which indicated the project was “on-track for go-live” in April 2023 and “progressing well,” were misleading. According to ASIC, these statements falsely suggested the project was adhering to the announced plan, despite ASX having no reasonable basis to make such claims.
ASIC Chair Joe Longo emphasized the significance of accurate statements from ASX and described this as a collective failure by the ASX Board and senior executives.
See Concise statement , Originating application and ASIC media release .
A guide to ‘good’: delivering better retirement outcomes and member services for Australians
On 14 August 2024, ASIC Commissioner Simone Constant gave a speech at a joint ASIC/APRA session at the Conexus Institute Retirement Conference. She noted that ASIC is prioritizing better retirement outcomes and member services, with a particular focus on addressing member service failures.
ASIC is focused on the need for funds to be transparent, accountable, and member-focused, ensuring consistent delivery of value and services to Australians both during retirement and in the years leading up to it. ASIC expects funds to communicate proactively and responsibly manage members' money, consistently meeting fair standards.
See full speech .
ASIC Financial advice update
The topics of this update are:
Maintaining accurate records on the financial advisers register
ASIC’s review of cold calling for superannuation switching business models
Report 779 Superannuation and choice products: What focus is there on performance?
See ASIC’s Financial Advice Update .
ASIC extends operation of record-keeping and breach reporting instruments
ASIC has proposed to extend the operation of the following legislative instruments, due to expire in October 2024, for a further five years:
ASIC Corporations and Credit (Breach Reporting - Reportable Situations) Instrument 2021/716 .
ASIC Credit (Breach Reporting - Prescribed Commonwealth Legislation) Instrument 2021/801 .
ASIC Key actions and proceedings
ASIC’s first greenwashing case results in landmark $11.3 million penalty for Mercer - In a landmark case for ASIC, the Federal Court ordered Mercer Superannuation (Australia) Limited to pay an $11.3 million penalty for making misleading statements about the sustainable characteristics of its superannuation investment options. See ASIC media release and a more in-depth case summary below.
ASIC suspends AFS licence of Id Funds Management Limited - ASIC has suspended the Australian financial services (AFS ) licence of Id Funds Management Limited (Id Funds) until 28 February 2025. The suspension was due to Id Funds' failure to meet its statutory audit and financial reporting lodgement obligations. See ASIC media release .
Australian Prudential Regulation Authority (APRA)
APRA shares further insights on common cyber control weaknesses
APRA has written to all regulated entities to provide further insights and guidance on common cyber control weaknesses. This letter is part of APRA's ongoing commitment to supervising cyber resilience across industry, and follows the previous letter on the security and adequacy of back-ups.
The letter details the common issues observed in terms of security in configuration management, privileged access management and security testing. APRA expects regulated entities to review their control environment against these common weaknesses and address any identified gaps promptly.
The letter is available on the APRA website at: Additional insights on common cyber resilience weaknesses .
APRA Deputy Chair Margaret Cole - Speech to the Conexus Retirement Conference
In this speech to the Conexus Retirement Conference, APRA Deputy Chair Margaret Cole emphasised the critical focus of APRA and ASIC on enhancing retirement outcomes for Australians, highlighting the need for superannuation funds to refine their strategies as they shift from accumulation to retirement phases. She stated that while the industry has made significant strides in supporting members during accumulation, the urgent task now is to address the diverse needs of retirees, particularly as a large number approach preservation age.
Recent reviews have shown some progress but also pointed to deficiencies in measuring the effectiveness of retirement strategies and catering to disengaged members. The updated prudential standard, SPS 515, mandates regular reviews and annual demonstrations of strategy effectiveness. Finally, she noted that APRA and ASIC will continue their collaborative efforts to drive improvements, urging funds to act promptly and innovate to better support members throughout their retirement.
See the full speech .
APRA imposes additional licence conditions on the trustees for Cbus and BUSSQ
APRA has imposed additional licence conditions on United Super Pty Ltd (Cbus) and BUSS (Queensland) Pty Ltd (BUSSQ) to address concerns over their fitness and propriety processes and fund expenditure management.
United Super, which manages $92 billion for 923,000 members, and BUSSQ, managing $6.7 billion for 73,000 members, have ties to the CFMEU through shareholdings and board members. Although unproven, the CFMEU has been the subject of serious public allegations which have raised concerns about the potential impact on the trustees. APRA requires both trustees to engage an independent expert to review their compliance with Prudential Standard SPS 520 Fit and Proper and ensure they act in the best financial interests of beneficiaries. APRA intends for these reports to be published to maintain transparency.
Deputy Chair Margaret Cole emphasised the importance of strong governance practices, noting that compliance with these conditions will help ensure trustees are making decisions in the best financial interests of their members.
See APRA media release .
APRA lifts N.M. Super’s additional licence conditions
APRA has removed additional licence conditions previously imposed on N.M. Superannuation Proprietary Limited (N.M. Super), part of the AMP group, which manages $114 billion in assets. These conditions were originally imposed in 2019 due to governance and risk management concerns identified by APRA. In 2021, N.M. Super agreed to a court enforceable undertaking to address these issues. APRA is now satisfied that N.M. Super has completed the required rectification work, including member remediation, and has revoked the licence conditions effective 2 August.
See APRA media release .
Other bodies and regulators
AICD and AISA publish cyber security governance guidance for directors of small businesses and not-for-profits
On 1 August 2024, AICD and AISA jointly released the ‘ Cyber Security Handbook for Small Business and Not-for-Profit Directors ’ which provides guidance for small business and not-for-profit directors in relation to cyber security governance. Directors of small businesses and not-for-profits often have a very hands-on role, which can increase the challenges and complexity faced by those directors. This guide, therefore, aims to assist those directors in building a foundation for cyber resilience and covers: (1) what role a director serves in the ever-shifting cyber threat environment; (2) the fundamentals of cyber security; (3) how to create a culture of cyber resilience; (4) risk management; and (5) cybersecurity incident response planning. We expect a continued regulatory focus on IT and cyber-related risks as the importance of information and data management to businesses in all sectors increases with the growth and universality of artificial intelligence.
According to the AICD and the Australian Signals Directorate , the cyber-threat environment for Australian businesses has increased dramatically, with a ~23% rise in the number of cyber crimes reported. For most companies, it is a matter of ‘when’ (not ‘if’) a cyber incident will occur. There are many dimensions to an organisation’s cyber risks. On 1 August 2024, the AICD published an article warning directors of one such dimension, being the security and operational risks posed by old and outdated IT systems, which do not receive the usual security updates and bug fixes that more modern systems do. This can leave companies vulnerable to outages and cyber-attacks, which can open the door to the rest of the organisation for hackers. Old and outdated IT systems can increase the likelihood that companies are exposed to security incidents including systems being taken offline, service deliveries being disrupted and the destruction or leakage of important data - all of which can lead to the loss of public confidence. According to the AICD, directors should consider old and outdated IT systems as a high risk and should require reporting to the board or risk committee regularly to ensure the board has adequate oversight.
ACCC proposes to allow collaboration in the cash in transit industry
The ACCC has issued a draft determination proposing to grant authorisation, with conditions, to the Australian Banking Association (ABA) and its member banks to support business continuity in the cash-in-transit industry, particularly in response to a potential disruption or exit of Armaguard’s cash-in-transit services. The ACCC has also granted interim authorisation while the ACCC continues to assess the ABA’s applications. The interim authorisation includes conditions which ensure the ABA provides regular reports on their discussions with industry participants, including those outside of Reserve Bank working groups. The ACCC is seeking submissions on this draft determination to ensure the interests of all Australian communities, especially in regional and remote areas, are considered before making a final decision.
See ACCC media release .
Corporate cases
ASIC's first greenwashing case $11.3 million penalty: ASIC v Mercer [2024] FCA 850
The Federal Court has given judgment in ASIC’s first greenwashing case, Australian Securities and Investments Commission v Mercer Superannuation (Australia) Limited [2024] FCA 850 ordering that Mercer pay pecuniary penalties totalling $11.3 million after admitting to making misleading statements about the sustainable nature and characteristics of some of its superannuation investment options, in contravention of ss12DB(a) and 12DF(1) of the Australian Securities and Investments Commission Act 2001 (ASIC Act).
The Court also ordered that Mercer publish a notice on its website notifying the public of the false and misleading statements. Mercer was also ordered to pay ASIC’s costs of and incidental to the proceeding, and the expenses of the investigation under s91 of the ASIC Act, in the agreed sum of $200,000.
Representations
The contravening conduct comprised representations relating to the nature and characteristics of financial services provided through seven “Sustainable Plus” investment options (Options), that they excluded investments in companies involved in or deriving profit from production/sale of alcohol; gambling; and the extraction/sale of carbon intensive fossil fuels (excluded industries).
The representations were made by statements and video on Mercer’s website, Vimeo and YouTube, between 2021 and 2023.
Findings on representations
The Court found that the representations were misleading as six of the seven Options included investments in companies which Mercer had represented were excluded. These included:
15 companies involved in the extraction or sale of carbon intensive fossil fuels (eg, BHP Group Ltd)
15 companies involved in the production of alcohol (eg, Budweiser Brewing Company APAC Ltd)
19 companies involved in gambling (eg, Aristocrat Leisure Limited).
Horan J ultimately found, after applying the principles summarised in Self Care IP Holdings v Allergan Australia [2023] HCA 8, that Mercer’s representations were made without reasonable grounds and that “there was a real possibility that they would lead the persons to whom they were made into error.”
Penalty findings
Horan J agreed with the parties’ joint submissions as to the payment of pecuniary penalties amounting to a total of $11.3 million.
In coming to this determination His Honour notably found:
The substantial increase in recent years for investment products focused on ESG considerations and the strong incentive for AFSL holder to focus on such considerations, as reflected by the representation on Options, reinforces the seriousness of the contraventions.
The contraventions were serious, arising from a failure to implement adequate systems to ensure accurate representations were made, failure to monitor and enforce application of sustainability exclusions associated with ESG claims.
On the general deterrent effect of this case, His Honour went on to state:
The outcome of enforcement proceedings such as the present case should send a clear signal to AFSL holders and other market participants to ensure transparency and accuracy when making any ESG claims, and to exercise diligence in adhering to such claims.
Whilst Mercer took some actions to address the misrepresentations made in the video and website statements, after being notified of the impending publication of Market Forces articles alleging that the Options invested in carbon intensive fossil fuels, no complete or thorough review of all public statements or wide-ranging corrective action was taken until after commencement of proceedings. His Honour concluded that:
In such circumstances, the contraventions admitted by Mercer involved more than carelessness, and may be regarded as at least reckless, if not deliberate . The conduct was engaged in by officers at a senior management level.
After commencement of these proceedings, remedial and corrective action was taken including publication of a Sustainable Investments Information Booklet disclosing to members the exposure of the Options to excluded industries. His Honour was satisfied that Mercer ensured that proper disclosure was made to existing and potential investors as to the possibility that some of the Options might have exposure to excluded industries.
Mercer’s co-operation in agreeing to substantial proposed pecuniary penalties and in taking remedial and corrective action, together with admitting to the contravention at the earliest opportunity were considered relevant in reducing the amount that would otherwise be assessed as a pecuniary penalty .
Focus on Greenwashing
Horan J highlighted that greenwashing was a key regulatory and enforcement priority, referring to the inquiry on greenwashing being undertaken by the Senate Standing Committee on Environment and Communications, with its report being due by 20 November 2024.
Cryptocurrency assets are property: ASIC v NGS Crypto Pty Ltd (No 3) [2024] FCA 822
In the recent judgment of Australian Securities and Investments Commission v NGS Crypto Pty Ltd (No 3) [2024] FCA 822 Collier J found that, for the purposes of an interlocutory application, the definitions of "financial service", "financial product", "financial investment" and "property" in the Corporations Act 2001 (the Act) were sufficiently broad to encompass cryptocurrency assets in appropriate circumstances.
The third defendant, NGS Group HK Company Number 1963940, and its director, a Mr Caten applied to discharge previous orders made appointing receivers over the digital currency assets of certain blockchain mining companies under section 1323 of the Act.
In determining the application, the Court relevantly stated: financial service , financial product financial investment and property in the Corporations Act are sufficiently broad to encompass cryptocurrency assets in appropriate circumstances ”.
G+T articles
G+T Insight - Spotlight on greenwashing: Aussie court decision’s potential impact on global private equity managers and their investors - discusses the growing regulatory scrutiny on Australian institutional investors regarding their environmental and social commitments, highlighting significant legal risks, especially concerning greenwashing, for Private Funds and offering guidance on how to manage these risks effectively - Rob Newham and Luke Barrett (14 August 2024).
G+T Insight - The Privacy Act reform bill - is August the month that it will happen? - identifies areas we believe will be a priority for the Australian Government in reforming the Privacy Act, the likely efficacy of the reforms given the current inadequate funding for the OAIC and what businesses can expect and do to prepare - Melissa Fai and Dal Lim (9 August 2024).
G+T Insight - Regulatory Rumblings - Quarterly Update July 2024 - quarterly round-up of the key enforcement developments and updates that ASIC-regulated entities and individuals need to know about, packaged up in a five-minute read and brought to you by our Disputes and Investigations team - Elizabeth Hilliard and Sarah Martin (9 August 2024).
G+T Insight - Landmark Federal Court penalty for ASIC greenwashing proceeding - discusses the Federal Court's decision on 2 August 2024, where Mercer Superannuation was found guilty of misleading the public with false ESG claims, resulting in a $11.3 million penalty, and emphasizes the importance of accuracy in ESG representations amid increasing regulatory scrutiny on greenwashing practices - Jeremy Jose and Luke Barrett (6 August 2024).
G+T Insight - Regulators turning up the heat on super funds and retirement incomes - discusses Luke Barrett's presentation at ASFA’s retirement income conference, where he highlighted regulators' dissatisfaction with the superannuation industry's approach to retirement incomes, urging for significant improvements in measuring real-life retirement outcomes for members and signaling potential enforcement actions if changes are not made - Luke Barrett (2 August 2024).
Calendar dates
1 October 2024 - Report on the independent review of Australia’s credit reporting framework due .
14-15 November 2024 - ASIC annual forum .
20 November 2024 - Final report due in the Senate inquiry into greenwashing .
28 February 2025 - Updated Banking Code of Practice (2025 version) comes into effect .
15 March 2025 - Financial Accountability Regime takes effect for superannuation and insurance bodies .