Australian Financial Services Regulatory Update

This edition of the Update covers: 

  • Recent legal and regulatory developments, including the commencement of cyber security incident notification obligations for critical financial market infrastructure assets, AUSTRAC's guidance on ransomware and criminal use of digital currencies, ASIC's guidance on the risk of greenwashing by superannuation and managed funds, and APRA's risk management expectations and policy roadmap for crypto-assets;
  • Recent financial services litigation, including ASIC's successful appeal against short-term lenders BHF Solutions Pty Ltd and Cigno Pty Ltd, and the commencement of proceedings by ASIC against Macquarie Bank Ltd for allegedly failing to adequately monitor and control transactions by third parties; and
  • Other regulatory enforcement action, including a court enforceable undertaking offered by NAB and accepted by AUSTRAC to address concerns with NAB's compliance with the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth). 


Cyber Security

Cyber Security Obligations 'Switched On' for Critical Financial Market Infrastructure Assets

On 6 April 2022, the Minister for Home Affairs made the Security of Critical Infrastructure (Application) Rules (LIN 22/026) 2022 (Cth) ("Application Rules"). The Application Rules 'switch on' the obligations under the Security of Critical Infrastructure Act 2018 (Cth) for a responsible entity of a critical financial market infrastructure asset to notify the Government of cyber security incidents. A critical financial market infrastructure asset includes a financial market, clearing and settlement facility, significant financial benchmark, derivative trade repository or payment system that satisfies the definitions in s 10 of the Security of Critical Infrastructure (Definitions) Rules (LIN 21/039) 2021 (Cth). From 8 July 2022, a responsible entity of a critical financial market infrastructure asset will be required to notify the Government of: (i) a critical cyber security incident within 12 hours of becoming aware of the incident; and (ii) other cyber security incidents within 72 hours of becoming aware of the incident. The Application Rules also switch on other reporting obligations for a responsible entity of a critical financial market infrastructure asset that is a payment system. The Application Rules can be found here

Anti-Money Laundering and Sanctions

AUSTRAC Targets Ransomware and Criminal use of Digital Currencies

On 21 April 2022, AUSTRAC announced it had released two financial crime guides for financial services providers on detecting and reporting ransomware and preventing the criminal abuse of digital currencies. With instances of ransomware and criminal abuse of digital currencies on the rise, AUSTRAC has emphasised the importance of being equipped to identify suspicious activity and report it to AUSTRAC. The guides outline a number of financial and behavioural indicators to help financial services providers identify if a payment could be related to a ransomware attack or if a person could be using digital currencies to commit serious crimes. AUSTRAC's media release can be found here


ASIC Issues Guidance on how to Avoid Greenwashing for Superannuation and Managed Funds

On 14 June 2022, ASIC released Information Sheet 271, How to avoid greenwashing when offering or promoting sustainability-related products ("INFO 271") for responsible entities of managed funds, corporate directors of corporate collective investment vehicles (CCIVs), and trustees of registrable superannuation entities. INFO 271 sets out: (i) the current regulatory settings for communications about sustainability-related products and investment strategies; and (ii) key questions to consider when offering or promoting such products. Our previous Commentary on INFO 271 can be found here.

Financial Markets

ASIC Calls on Market Operators and Participants to Improve Resilience 

On 28 June 2022, ASIC released a statement calling on market operators and participants to continue to improve the resilience of the Australian equity market during outages, including by facilitating trading on alternative markets. ASIC's statement follows Report 708 ASIC's expectations for industry in responding to a market outage released in response to the ASX equity market outage in November 2020. By early to mid-2023, ASIC expects that all market participants will have arrangements for at least new orders to trade on an alternative market during an outage, and that market operators will support this outcome. ASIC's statement can be found here

Consumer Protection

ASIC Extends its Product Intervention Order for Contracts for Difference 

On 6 April 2022, ASIC extended its product intervention order imposing conditions on the issuance and distribution of contracts for difference ("CFDs") by a further five years, until 23 May 2027. A CFD is a contract that allows a client to speculate the change in value of an underlying asset, such as stock market indices, foreign exchange rates, single equities, commodities, or crypto-assets. The product intervention order, which commenced on 29 March 2021, limits CFD leverage available to retail clients, imposes product features that limit retail clients' CFD losses, and prohibits sale strategies that provide incentives to retail clients to induce them to trade in CFDs. The intention of the order is to strengthen protections for retail clients and ensures CFD practices in Australia remain comparable to other markets. ASIC's media release can be found here.

On the same day, ASIC also released Report 724 Response to submissions on CP 348 Extension of the CFD product intervention order ("Report 724"), which uses data from over 60 CFD issuers and examines the impact of the order. Report 724 concludes that the product intervention order has been effective in reducing the risk of significant detriment to retail clients resulting from CFDs. Report 724 can be found here.

Prudential Requirements

APRA Sets out Initial Risk Management Expectations and Policy Roadmap for Crypto-Assets

On 21 April 2022, APRA issued a letter to all APRA-regulated entities setting out its risk management expectations and policy roadmap for crypto-assets. APRA notes that the risks associated with crypto-assets are wide-ranging, including operational, investment, and credit risk. APRA considers the operational risks to be particularly important, encompassing fraud, cyber, AML/CTF and conduct risks. APRA expects that all regulated entities will: (i) conduct appropriate due diligence and a comprehensive risk assessment before engaging in activities associated with crypto-assets; (ii) consider the prudential requirements regarding outsourcing; and (iii) apply robust risk management controls, with clear accountabilities and relevant reporting to the board on the key risks associated with new ventures. 

APRA has also set out its plans to: (i) consult on requirements for the prudential treatment of crypto-exposures for Authorised Deposit-taking Institutions ("ADIs"); (ii) progress new and revised requirements for operational risk management, covering control effectiveness, business continuity and service provider management; and (iii) consider possible approaches to the prudential regulation of payment stablecoins as part of a broader legislative and regulatory framework for stored-valued facilities. APRA's letter can be found here


ASIC Announces Financial Reporting Changes for AFS Licensees

On 3 June 2022, ASIC announced new financial reporting requirements for Australian Financial Services ("AFS") Licensees following changes to the Australian Accounting Standards. Under the new reporting requirements, AFS Licensees' financial reports must contain disclosures consistent with the financial reports of other for-profit entities. AFS Licensees can no longer prepare special purpose financial reports, which do not contain all disclosures required in the full accounting standards. Going forward, AFS Licensees must apply the full recognition and measurement requirements for assets, liabilities, income, and expenses. The new disclosure requirements apply from financial years commencing on or after 1 July 2021, but certain AFS Licensees can choose to defer any new disclosure requirements by one year. ASIC's media release can be found here


ASIC Commences Proceedings Against Mercer for fees for no Service

On 30 June 2022, ASIC commenced proceedings in the Federal Court of Australia against Mercer Financial Advice (Australia) Pty Ltd ("Mercer") for allegedly making false or misleading representations to its customers about fees charged and services that were not provided, and for failing to provide fee disclosure statements. Specifically, ASIC alleges: (i) Mercer contravened s 962 of the Corporations Act 2001 (Cth) ("Corporations Act") by continuing to charge ongoing fees to customers, despite the applicable ongoing fee arrangements with these customers having being terminated; (ii) Mercer contravened s 962S of the Corporations Act by failing to give certain customers fee disclosure statements; (iii) Mercer contravened s 12DB(1)(a), (e), and/or (i) of the Australian Securities and Investments Commission Act 2001 (Cth) ("ASIC Act") by making false or misleading representations within fee disclosure statements; and (iv) through these failures, Mercer failed to do all things necessary to ensure the financial services covered by its AFS Licence were provided efficiently, honestly, and fairly in contravention of s 912A(1)(a) of the Corporations Act and failed to comply with financial services law in contravention of s 912A(1)(c) of the Corporations Act. 

ASIC Successful in Appeal Against Cigno and BHF

On 28 June 2022, the Full Court of the Federal Court of Australia upheld an appeal by ASIC, which sought to overturn a decision of the Federal Court that the short-term, high-cost lending model operated by credit provider BHF Solutions Pty Ltd ("BHFS"), and loan manager and arranger Cigno Pty Ltd ("Cigno"), was not subject to the National Consumer Credit Protection Act 2009 (Cth) ("NCCP Act") and National Credit Code ("NCC"). 

In a unanimous decision, the Full Court found that the fees charged by BHFS and the additional fees charged by Cigno (which were only payable if credit was provided by BHFS) were, in substance, charges made for the provision of credit. In reaching this conclusion, the Court noted at [172] that a broader interpretation of the legislation which "looks to the substance of the credit arrangements rather than their contractual form" is to be preferred to ensure that "the remedial provisions of the [NCC] are not easily avoided by carefully structured credit arrangements". The Court went on to find that BHFS had engaged in credit activities within the meaning of s 6(1) of the NCCP Act. The Court was unable to make such a conclusion with respect to Cigno as the relevant issues had not previously been addressed by the trial judge and no submissions as to those issues were advanced on appeal. Accordingly, the Court ordered that the proceeding be remitted to the trial judge for determination of ASIC's allegations against Cigno and relief. The Full Court's judgment can be found here

ASIC Commences Proceedings Against ANZ for Allegedly Overstating Account Balances

On 30 May 2022, ASIC commenced proceedings in the Federal Court of Australia against Australia and New Zealand Banking Group Ltd ("ANZ") for allegedly misleading its customers as to available funds and balances in their credit card accounts. ASIC alleges that from May 2016, around 165,750 ANZ customers were charged cash advance fees and interest for withdrawing or transferring money from their credit card accounts where ANZ had incorrectly stated the amount available for withdrawal from their accounts. While ANZ has remediated over $10 million to customers who were affected up until November 2018, ASIC alleges that customers continue to be affected. 

ASIC alleges that ANZ contravened ss 12DA(1), 12DB(1)(e) and 12DB(1)(g) of the ASIC Act, by making false or misleading representations to customers about the available funds in their credit card accounts. ASIC also alleges that ANZ contravened ss 47(1)(a) and 47(4) of the NCCP Act in failing to do all things necessary to ensure that the credit activities authorised by its Credit Licence were engaged in efficiently, honestly and fairly. ASIC is seeking: (i) declarations of contravention; (ii) pecuniary penalties; (iii) an injunction requiring ANZ to implement a system change so that where a payment is made to a customer's credit card account, it is not included in their funds or balance until that amount is cleared by ANZ and available to use without adverse consequences; and (iv) an order requiring ANZ to implement a program to remediate those affected customers who have not yet been remediated which is to be overseen by an independent expert. ASIC's media release can be found here

ASIC Commences Proceedings Against Macquarie for Alleged Failure to Monitor Accounts

On 5 April 2022, ASIC commenced proceedings in the Federal Court of Australia against Macquarie Bank Ltd ("Macquarie") for failing to adequately monitor and control transactions by third parties, such as financial advisers, on their customers' cash management accounts. ASIC alleges that from 1 May 2016 to 15 January 2020, Macquarie failed to take measures to prevent or detect transactions made using its bulk transacting system that were outside the scope of a 'fee authority' given by a customer, including misappropriating, and attempts to misappropriate, customer funds. ASIC alleges that by this conduct Macquarie failed to ensure its financial services were provided efficiently, honestly and fairly in contravention of s 912A(1)(a) of the Corporations Act. ASIC is seeking declarations, pecuniary penalties and a compliance order for an independent review of Macquarie's fee authorities and fee transactions using the bulk transaction system. The proceedings arise from misappropriation of client moneys by a financial adviser who ASIC alleges made $2.9 million in unauthorised withdrawals from Macquarie accounts (and who has since been convicted of dishonesty offences) and for which Macquarie has already paid remediation of approximately $3.5 million. ASIC's media release can be found here.


AUSTRAC Accepts a Court Enforceable Undertaking From NAB

On 2 May 2022, AUSTRAC announced it had accepted a court enforceable undertaking ("CEU") from National Australia Bank Limited ("NAB") and various of its related entities within the NAB designated business group ("DBG"). The CEU follows an AUSTRAC enforcement investigation into the NAB DBG which identified concerns with compliance with certain obligation under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth). In order to address AUSTRAC's concerns, NAB offered the CEU under which it commits to complete a Remedial Action Plan overseen by an external auditor. AUSTRAC accepted the CEU and also acknowledged that since 2017, NAB has made significant improvements to its technology platforms, processes and procedures and has invested significantly in programs of work to mature the financial risk capability of the NAB DBG. AUSTRAC's media release can be found here

Jones Day publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our “Contact Us” form, which can be found on our website at The mailing of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.