Reshaping the Regulatory Landscape

A volatile economy driving key priorities
 

As inflation continues to elevate,¹ the Reserve Bank of Australia continues to eye interest rate increases, which significantly impacts consumers who face higher cost of living and larger loan interest payments. As a result, ASIC and APRA have become more active in monitoring the financial services industry and its treatment of indebted customers.

In addition, as highlighted by APRA, other changes in the regulatory environment and geopolitical factors have influenced the development of the Corporate Plan, such as the increasing volume of hacks and scams, which has led to the focus on minimising cyber-security vulnerabilities, and the frequency of natural disasters which has caused an increase in the unaffordability of insurance.

Heightened focus on operational resilience and customer outcomes

In some respects, this years’ plans demonstrate that the regulators have not steered far from their existing priorities and focus areas from previous years. Significant aspects of the core messaging from APRA and ASIC’s 2022-23 Corporate Plans have been retained in their targeted plans for 2023-2024. Given the continuing significance of cyber and technological advancements, economic pressures, and demographic shifts, that is perhaps unsurprising.

Where there is significant movement, it relates to moving on from the negative effects  of COVID-19, with a focus on emerging trends and newer regulatory obligations, particularly around climate risk, retirement outcomes and scam prevention. Both APRA and ASIC have also said they will focus on implementation of the Financial Accountability Regime (FAR), this aligns with their long held strategic view that good culture and the focus of personal and organisational accountability for the delivery of good consumer outcomes and management of risk is foundational to being a responsible regulated entity.
 

Key priorities and shared focus areas

What this means for regulated organisations?
 

Sustainability 

• Sustainability reporting integrity. Organisations need to continue to remain vigilant of ESG-related disclosures as ASIC’s focus is on products being true to label both in terms of what is and is not included, in the context of greenwashing. ASIC has said it will continue to take enforcement where needed to address misleading marketing and misconduct. ASIC is also supporting the Government’s sustainable finance strategy and will introduce a mandatory climate-related disclosure regime that is aligned globally. Meanwhile, APRA has said it has increasing expectations regarding the appropriate reflection of the impact of climate change on asset and income valuation, underwriting risks and the resulting impact on organisational risk profiles.
• Greater transparency. This is a recurring theme from the 2022-23 Corporate Plans. Product issuers must be able to evidence that investment products are ‘true to label’, and can for example, show evidence of the process/measures undertaken to demonstrate the sustainability of their products and that the product name aligns with the underlying assets. Organisations should also avoid making ambiguous statements or use vague terminology. 
  
  To assist with this, as well as with the transition to the mandatory climate disclosures, Deloitte recently partnered with the Australian institute of Company Directors (AICD) and MinterEllison to develop a guide to help organisations prepare for Mandatory Climate Reporting.

Cyber and Operational Resilience

• CPS 230 implementation. Regulated entities will be required to implement CPS 230 by the effective date 1 July 2025. Organisations will need to address identified weaknesses in controls designed to mitigate operational risks, especially business continuity and third-party risk management.
• Adaptability. Organisations must be able to shift their priorities in line with the regulators, embedding changes following risk transformation programs, and integrating updates from framework amendments in CPS 220, CPS 510 and CPS 520. It is also important that senior leaders be involved in the oversight of critical operations.
• Accountability and governance. Authorised deposit-taking institutions (ADIs) must continue complying with the Banking Executive Accountability Regime (BEAR) until FAR comes into effect from 15 March 2024. Organisations must strengthen and uplift individual accountabilities and governance practices in line with the proposed FAR regime, especially as APRA is updating its prudential standards to align with FAR. From now until the commencement date of FAR, organisations should be participating in pre-commencement activities which involves the submission of draft FAR information to the regulators.
• CPS 234 assessment. Regulated entities will be required to review, maintain, and assess their information security capabilities on an ongoing basis to ensure the maintenance of cyber resilience.

Scams and Technology Risks

• Anti-scam practices. In recognition of the significant role banks play in scam prevention and detection, ASIC intends to work more closely with the sector to identify ways to strengthen anti-scam practices and enhance customer outcomes. Organisations should undertake ongoing reviews of scam prevention, detection, and response capability to ensure frameworks remain fit-for-purpose and provide consistent and appropriate approaches to enhance anti-scam capabilities. Organisations are encouraged to leverage insights from REP 761 to strengthen and improve anti-scam practices.
• Operational resilience. Aligned with CPS 230, APRA’s focus on strengthening operational resilience (see above) is intended to reduce community impact of scams.

Customer Outcomes

• Product governance.
  • ASIC and APRA released their joint report REP 766 Implementation of the retirement income covenant on 18 July 2023 which found that the superannuation sector had significant work to do to demonstrate the discharge of retirement income covenant obligations. With the regulators’ enhanced focus on firms’ implementation of the retirement income covenant, organisations should consider implementing the priority actions and better practices as outlined in the joint report.
  • APRA will also be focusing on addressing unacceptable product performance, while ASIC will continue to take action against misleading conduct and poor governance, especially where member’s balances are adversely impacted. Organisations should consider these focus areas and put in place plans to closely monitor their governance practices over product performance.
  • ASIC continues to focus on the protection of consumers from harm, and in particular testing compliance with distribution obligations. This includes surveillance of insurers (in particular, low-value and higher risk offerings) under the Design and Distribution Obligations and protecting the financially vulnerable affected by predatory lending practices (including high-cost credit contracts and debt collection misconduct). As such, organisations should look to review the appropriateness of their product governance, lending practices and customer vulnerability processes and ensure they do not cause customer detriment.
• Crypto-assets.
  • Treasury has also recently announced its intention to regulate crypto-assets at the level of the crypto exchanges under existing financial services laws. Exchanges holding more than $5million in aggregate, or more than $1,500 for any individual, must obtain an Australian Financial Services License (AFSL) regulated by ASIC.

What are some actions organisations can start to undertake?

Watch this space!
 

We will continue to provide insights into the challenges organisations face and explore to pragmatically meet regulatory expectations across the priority areas. Contact us if you’d like to learn more about our solutions and how we can help you.

References
1. Australian Bureau of Statistics, ‘Consumer Price Index, Australia – reference period September October 2023’, 25 October 2023