Diane Tate Opening Remarks
- Diane made opening remarks about the external risk environment and regulatory issues facing the sector, including:
- Relief, repair, restraint and rebuilding supply chains.
- Digital and cyber-security in the finance sector.
- Vulnerable customers.
- Sustainability and greenwashing.
- CEFC’s work - $10b in funding available for partnerships.
- Privacy laws to be changed.
- Consumer Data Right and Open Finance.
- Financial inclusion in the context of cost of living.
- Compensation Scheme of Last Resort and Financial Counselling funding - the finance sector will be asked to do more.
Session 1: The Big Picture
- Attorney-General has announced consultation on AML-CTF reform. Important for the finance sector to be engaged during this process.
- There has been an increased use of external audits and enforceable undertakings.
Unfair Contract Terms
- The finance sector should review contracts for unfair contract terms given new laws taking effect on 9 November 2023.
- Penalties are significant.
Financial Accountability Regime (FAR)
- New laws equals more obligations.
- FAR to extend Banking Executive Accountability Regime (BEAR) to all ASIC/APRA regulated entities. Key features include key personnel obligations and deferred remuneration obligations and
Financial Sector Reform Act 2022 (Cth) (FSR) – new anti-avoidance measures to encourage compliance with NCCP Act and supplement product intervention orders.
- Privacy Act reform - 116 proposals for change under the Privacy Act – tighter timeframes for notifiable data breaches and increased cyber security controls. Minimum/maximum
data retention periods and need to describe them in privacy policies.
Session 2: ASIC Deputy Chair, Sarah Court
- ASIC has published enforcement priorities to enhance transparency.
- Focus areas for 2023 include:
- predatory lending
- pricing promise failures
- unfair contract terms for general insurers
- Enduring priorities include:
- misconduct, especially affecting indigenous people
- systemic compliance failures.
- ASIC outlined elements of its Regulatory toolkit:
- Discussed the different types of tools available to the Regulator including proceedings, infringement orders, stop orders, banning orders, warnings, and publication.
Session 3: ACCC Chair, Gina Cass-Gottlieb
- Annual announcement of enforcement and compliance priorities – financial sector remains a key priority for the ACCC – competitive markets that work in the interests of
- 83 of SMEs start with Facebook ads.
Financial services priorities
- Must address anti-competitive conduct and promote competition.
- Inquiry under direction from Treasurer on bank deposit rates and credit interest rates.
- Contributing to review of payments system.
- ACCC action against Mastercard in FCA re: anti-competitive conduct regarding least-cost routing initiative.
- Consumer reforms:
- Government’s national anti-scam centre - ACCC Report shows Australians lost 3.1b in 2022 – up 80% from 2021 – investment scams most common.
- new UCT - previously, not a contravention of the Act to have an UCT. Now along with terms being struck out, there are penalties and a legal record of unfair terms being a
contravention of the Act.
- Economy wide unfair trading prohibition proposal – regulate ‘hard to exit’ products and ‘excessive collection of data’.
- Excessive collection of data and misleading design frameworks may negate informed consent.
- Long terms may negate effectiveness of consent.
- Digital platform markets:
- Digital platforms are not currently doing enough to protect against scams and fake reviews.
- Need more verification of businesses, products.
- Concern of ‘self-preferencing’ by digital platforms, i.e. in search results.
- Tying – i.e. – can only use Google or Apple products to pay in app store.
- The question of targeted ads.
Session 4: Dr Zili Zhu – CSIRO
- AI can be used to assist predictions for long term effects of uncertainty on decision making.
- Potential for using AI in the context of credit assessments.
- Explainable AI and discrimination concerns in credit analysis.
- Future predictions are always fraught.
Session 5: Chris Coldrick – Deloitte
- Difficulty of product and staff shortages.
- Cyber issues
- Increased insolvencies
- Changes in Government policy – consequences and risks for organisations
- Illumination of supply chains:
- Know your network.
- Sense risks and insights.
- Act on actionable insight to mitigate risk.
- Contract with suppliers who have different secondary suppliers to mitigate risk
- Examine who are the suppliers behind the suppliers and what products are they moving.
- Run entire exercise – find three things and mitigate.
- Chris outlined 2 case studies, one involving automotive disruption and one involving retail disruption. Key obstacles and solutions included:
- missing suppliers
- short memories
- cost sensitivity
- economies of scale
- lack of broad understanding of supply chain issues
- lack of supply chain leaders’ skills
- automated warehouses are less susceptible to labour shortages
- investments in last mile scheduling.
Session 6: Brendan Tapley – PwC Sustainability
- Outlined myriad of climate disclosure tools
- Responsible investment, accounting for ESG, now valued at $1.5 trillion under management
- Challenge of measuring ESG data – i.e. water and energy consumption, diversity and inclusion data, external assurance etc.
- 98% of businesses are small businesses – exempt from emissions reporting?
What steps can you take for ESG?
- Set an ESG strategy which is embedded in business strategy.
- Plan alignment to leading ESG standard.
- Plan public commitments and disclosure
- Recruit talent
- Benchmark on material topics
- Seek assurance.
Session 7: Let’s Talk About Privacy – Kelly Dickson
- Malicious and criminal attacks consistently account for 62-63% of breaches.
- 33-35% of breaches are based on human error.
- 12-15% of all data breaches are in the finance sector.
- This is privacy awareness week.
- Key themes:
- People: awareness + training + culture of compliance.
- Systems: secure PI / breach preparedness / preventative systems.
- Data minimisation – collection / retention.
Session 1: David Locke - AFCA
- 70k complaints annually – an increase of 27% re: banks and +43% BNPL in last 12 months.
- The number one issue financial counsellors see is mortgage arears, for first time in 10 years.
- 420 scam complaints monthly, 4161 + 28% - more complaints about scams than any other issue
- Importance of vulnerable consumers – elderly, live alone, mental health or financial hardship
- AFCA 2021 independent review after recommended rules changes needed
- AFCA supports:
- Where an appropriate offer of settlement has been made, want to get consumer accept – rules change
- Want a tougher approach re: 3P representatives, debt management firms – not always in consumer best interests – rules change
- Greater emphasis on systemic issues, on top of individual case management.
- Support AFIA single code work – AFCA have to look at what codes say and what ‘good industry practice’ looks like. In the absence of robust codes, need to look to proxies
like banking code. Better to have bespoke codes.
- CSLR – passed HoR, sitting in Senate, listed for 11 May 2023 debate in Senate.
- AFCA fees should not increase over CPI and AFCA hopes to deliver decreases in cost and increases in speed and efficiency.
Session 2: CDR Session – John Harrison, Yodlee and Dennis Rappoport, Liberty
- Adopting CDR early gives flexibility but has cost.
- The panel discussed the strategic question of whether to build or buy including decision on data holder and data recipient side. Does it make more sense to use vendors rather than
building from scratch.
- The panel outlined different models of participation in CDR eg Full participation v CDR insights model, trusted adviser model: other approaches.
- Data controls are important and very onerous requirements here.
- Need to communicate changes across your organisation.
- Data privacy has been baked into CDR from start – high control, detailed and non-transferable consents.
- OAIC/ACCC published guidance on interactions between CDR and the Privacy Act, but both sets of regulation always have to be considered.
- Entities will need to figure out what your goals are – best model, requirements, customer needs.
- CDR allows aggregation of various accounts and payments in one place.
- CDR also helps with other use cases such as verification and AML-CTF assessments, as well as credit and hardship assessments.
- Banking Sector – CDR Desk – definition of publicly offered cf bespoke product – generally advertised + highly customized + other features.
Session 3: The Evolving Payments Landscape – Jennifer Turner, AMEX
- Business payments in a consumer focus.
- Need for innovation – in Australia, innovation is often consumer driven.
- The importance of apps and Open Banking – consumers want efficiency and ease.
- Difficulties of the pandemic with labour shortages, cashflow impacts etc – led to impacts on SMEs and large corporations in terms of ways of securing their long-term debt.
- Pandemic led to a huge requirement for working capital as cash advance and overdrafts no longer covered.
- Pandemic didn’t lead to new products, but innovative ways of using existing payments products.
- Identification and verification requirements can impede productivity. Digital ID could both improve safety and efficiency. But no one wants to pay to do it.
- Businesses want payments to be – cheaper, simpler, faster and easier.
- Implications of Payments System Review / UCT and unfair trading prohibitions.
Session 4: Operational Resilience – APRA
- APRA want to drive effective use of data to make decisions and reduce reg burden.
- APRA published policy priorities – tech and data – modernising prudential architecture.
- John Lonsdale – “Australians can be confident their banking system is among the most secure in the world” but “scope to do more on operational resilience”.
- Safeguards are important to anticipate disruptions.
- CPS 230 – 1) improve operational risk practices through enhanced focus of boards and senior management + 2) minimise impact of disruptions to customers and the financial system.
- Understand your end-to-end value chain.
- Insufficient planning and preparation for crises – everyone should know their role ahead of time.
- Need to explain these complex issues simply. What is the appropriate level of information?
- Cyber attacks – 1) prepare + 2) detect (figure out when and for how long and what took) + 3)
- If you can defend that you’ve done your best to 1) prepare 2) detect 3) respond, you have fulfilled your obligations.
- Interconnectedness/globalisation have increased supply chain risks in cyber.
Session 5: Credit Law Regulation – Steven Klimt from Clayton Utz
- Steven provided a retail credit law update.
- He outlined SACC amendments which commence 12 June 2023.
- Also BNPL reform and potential changes here.
- Responsible lending obligations, the state of play following the Wagyu v Shiraz decision and how it compares to obligation in the Credit Act and RG209.
- Design and distribution obligations (DDO) and ASIC enforcement.
- Short term credit exemptions – lessons from Cigno.
- 12 June 2023 – FSR 2022 amendments commence – loans of 2k for b/w 16 days to 12 months.
- Civil penalties of 5,000 penalty units for contravention of new provisions.
- Increasing popularity – grew by 37% in FY22 to $16 billion.
- BNPL helped to create or retain 120,200 jobs – 21.2% increase in preceding year.
- November 2022 – Treasury released BNPL Options Paper – view there in an unintended regulatory gap in BNPL products
- Treasury put forward 3 options for future regulation 1) strengthened industry code 2) limited regulation under the Credit Act 3) Regulation of BNPL under Credit Act, with full RLOs.
- ASIC supports Option 3.
Three key aspects to reform:
- The extent to which BNPL required to conduct unsuitability assessment under the Act.
- Scalability – don’t apply just to BNPL in Act – apply to all credit products.
- Access to credit reporting system – credit scores are not regulated / objective.
- Licensing of BNPL providers.
Responsible lending and the status of Westpac:
- 2020 – FCAFC dismissed ASIC’s appeal.
- RG209 hasn’t been updated to take into account the appeal in Westpac.
- Watch this space as there may be future developments.
- ASIC crackdown on compliance with DDOs.
- At April 2023, ASIC had issued 28 interim stop orders.
- Lessons from One Credit Card, Amex and Firstmac
- ASIC v Amex - David Jones credit card.
- FCAFC is the law on this issue.
- Lender entered credit contract with consumer where they provided credit and a small fee – not subject to licensing or NCCP – channeled into this product by another company.
- Financial supply fee + account keeping fee paid by secondary supplier.
- Financial supply fee was $13 + 60% of the amount of credit + $5.95 per week
- Issue – was the fee a fee or charge that is or may be made under the BHF loan agreement, if yes than credit regulated under NCCP Act.
- Charge construed in exchange of, on account of or by reason of the provision of credit. S6(5) of the Act = broad construction of fee for credit with broad implication for NCCP Act
- Court didn’t want parties to avoid the Act.
Session 6: Cyber Security and Data Protection
- Pre-understanding cyber risk, must understand the threat environment that motivates baddies.
- Financial incentives for cyber crime huge – 2025 = $10.5T.
- By 2025, profit from cyber crime will be higher than profits from global drug trade.
- Cyber criminals can be distracted by geopolitics – Russia / Ukraine.
- When cyber criminals get dissatisfied, they break away and act outside rules.
- Moved from smash and grab to patient and specific intelligence gathering.
- Insider information is a key trigger – who has access to passwords?
- Threat actors have learned to cover their tracks very well.
- Need to respond in an urgent but sustained fashion – intense 6 weeks, less intense 6 months, remediation full year, then investigations and class actions.
- Often need to respond to cyber attacks without access to your information / IT systems.
- Home Affairs is a major regulator but we’re not used to working with them.
- Ashurst response to Cyber Security discussion paper:
- Directors duties are on agenda but won’t be specific cyber duty.
- Boards and ELTs need to be more accountable with cyber sec and regulations will come – i.e. attestation processes.
- Minimum standards.
- Mandatory reporting.
- Questions to ask:
- Are you ready – simulation planning?
- Where/what is your data?
- Are your vendors secure?
- Is compliance enough?