ASIC’s priorities in a changing regulatory environment

Check against delivery

Good morning everyone – and thanks to Diane and AFIA for the invitation to speak at the 2024 Risk Summit.

I would like to begin by acknowledging the Wurundjeri people of the Kulin nation as the traditional owners of the land on which we meet. I pay my respects to their elders, past and present – and extend that respect to Aboriginal and Torres Strait Islander people here today.

Today I’d like to talk about:

Some of the key trends in the environment in which we all operate that are shaping ASIC’s thinking about where to direct our attention
Some of the work we already have underway in response to those trends, and
As part of that, our expectations of how the firms we regulate should be responding.
ASIC, like AFIA and its members, exists in a context shaped by global trends – ongoing cost-of-living pressures, climate change and rapid technological transformation of the way in which we go about our business day-to-day.

Each of these trends also has a significant impact on consumers’ needs and the ways in which they navigate financial services markets.

ASIC’s role is to understand the impact of these trends on the sectors and entities we regulate – and to address the most significant threats and harms.

In commenting on how these trends are reflected in our work, I’d like to start with our focus on consumer outcomes in the context of cost-of-living pressures.

Financial hardship
As you may have seen, earlier this week we released Report 783 – Hardship, hard to get help: Lenders fall short in financial hardship support.

This report was the result of a significant program of work, involving data collection from 30 large lenders and a deeper review of the practices of 10 large home loan lenders.

In 2023, the 30 lenders we surveyed received over 440,000 requests for hardship assistance. These requests related to 296,000 accounts and involved account balances totalling over $45 billion.

For the lenders involved in our deeper review, we examined data on hardship notices provided between 1 July 2022 and 31 December 2023. During this time, they received over 250,000 hardship notices in relation to 144,000 accounts. As well as analysing data on how those notices were handled, we reviewed 80 case studies and conducted site visits involving over 170 staff.

On the whole, it is fair to say that we were disappointed with what we found.

We found that lenders weren’t doing enough to support customers experiencing financial hardship. Too often, the hardship process was confusing and frustrating. So much so that more than one in three customers (35%) dropped out of the process on at least one occasion after giving a hardship notice.

We observed that:

Lenders didn’t make it easy for customers to give a hardship notice
Assessment processes were often difficult for customers
Lenders didn’t communicate effectively with customers, and
Vulnerable consumers often weren’t well supported.
We also found that lenders often applied standardised approaches to dealing with financial hardship. Each customer’s situation is unique, so it is important that solutions are tailored accordingly. That is even more important for customers experiencing vulnerability.

Of particular concern was the finding that in around 40% of cases where payments were deferred or reduced, customers fell into arrears right after the end of the period of hardship assistance. This signalled that lenders were not doing enough to ensure that customers understood what would happen at the end of a period and explain the options available to them.

Encouragingly, at the time of our review, at least seven of the lenders had significant programs of work in place to improve the way they manage financial hardship. That is important, given the seriousness of our concerns.

We will be providing individual written feedback to the lenders involved in our review, asking for them to prepare an action plan outlining how they intend to respond to the issues identified. We will then follow up to ensure they’ve taken those actions.

We are also considering further regulatory action in relation to some of the issues we identified through our review. Compliance with financial hardship obligations is a 2024 enforcement priority for ASIC and you should expect to see us take further action.

I do however want to stress that if you were not part of this review that does not mean that we are not interested in your approach to hardship. We continue to closely monitor reports of misconduct to ASIC, as well as concerns reported to us by members of our consultative panels, and these sources of intelligence will continue to inform our approach to enforcement.

Other work to support vulnerable consumers
Our work released this week on hardship sits within a broader program of work to support better outcomes for consumers – especially in relation to credit.

Our 2024 enforcement priorities include a range of issues relevant to credit. Besides the focus on hardship practices, they include:

High-cost credit and predatory lending practices to consumers and small business
Misconduct relating to used car financing to vulnerable consumers including brokers, car dealers and finance companies
Misconduct impacting First Nations people, and
Misconduct involving a high risk of significant consumer harm, particularly conduct targeting financially vulnerable consumers.
Our work in relation to credit spans a broad spectrum of misconduct – from unlicensed credit activities to non-compliance with responsible lending obligations to unscrupulous debt collection practices.

Unlicenced credit activities
In relation to unlicenced credit activities, we have an ongoing case against Green County and Max Lending[1], where we allege the lenders tried to bypass consumer protections in the Credit Act by requiring prospective borrowers to sign a business purpose declaration although the credit was for personal use.

Neither Green County nor Max Funding were licensed to provide personal loans or act as an intermediary.

We also have civil penalty proceedings afoot against Cigno Australia and BSF, including against two of their directors personally, for their ‘No Upfront Charge Loan Model’.[2]

Under this model, Cigno and BSF provided short-term credit to more than 100,000 customers without either entity holding a credit licence. Some of these customers were charged fees of more than 600% of their total loan amount – well beyond the caps imposed by the Credit Act.

Responsible lending obligations
In relation to the responsible lending obligations, I refer to our case against Money3, which is currently before the court. We allege that over nearly two years, Money3 failed to properly assess whether certain borrowers – including First Nations peoples – could meet their repayment obligations before entering into loan contracts for the purchase of second-hand vehicles.

Each of these consumers were either receiving Centrelink payments as their sole income or were on a low income. In some cases, the vehicle broke down, leaving the customer with an unusable car and a loan that they couldn’t afford.

Debt management
In relation to debt management, ASIC commenced proceedings in August in the Federal Court against Bakken Holdings Pty Ltd (Bakken), an operator of Solve My Debt Now, following concerns of substantial consumer harm[3].

ASIC claims that from April 2020 to June 2022, Bakken collected $3.6 million from its customers but paid only $1.1 million of this money to creditors. 64% of customers did not have payments made to their creditors at all.

ASIC also alleges that in many cases, the fees Solve My Debt Now charged for its services exceeded the amount by which the debts were reduced, leaving clients worse off. Only 5.3% of Solve My Debt Now customers achieved a debt reduction after fees.

Design and distribution obligations
And finally, before concluding my comments on our work in relation to credit, I want to note the importance of the design and distribution obligations (DDO).

The concepts behind these obligations are simple: financial products should be designed to meet the needs of the consumers for whom they are intended, and they should be distributed in a manner that reflects the intended target market.

We recently made our first final DDO stop order against Coral Coast Distributors – a business that operates retail stores in a range of communities in northern Australia under the Urban Rampage brand.

The stop order applies to arrangements that involved customers paying for goods purchased through deductions from their Centrelink payments, using the Centrepay system.

We found that Coral Coast targeted First Nations consumers who received Centrelink payments. But after signing up, many consumers found themselves without money to pay for essentials. The effect of this stop order is that Coral Coast can no longer sign-up customers into these Centrepay credit arrangements.

More broadly, while ASIC’s work in the initial stages of the DDO regime focused on the adequacy of target market determinations, we have recently focused more on the reasonable steps obligation, which requires issuers to take reasonable steps to ensure that distribution of a product is consistent with the target market determination.

In summary: credit products should not be designed or distributed in ways that place customers in financial hardship – and where this does occur, the design and distribution obligations are an important new tool in our regulatory toolbox.

Climate change and sustainable finance
I’d now like to move from issues of credit and financial hardship to discuss some of the broader environmental trends I mentioned earlier – starting with climate change.

A key area of interest for ASIC is the nature of disclosures and representations that the firms we regulate make to the market and to consumers.

The overwhelming majority of global GDP (90% by latest estimates) is now covered by a net zero target at or around mid-century. Locally, companies covering 80% of the market capitalisation of the ASX200 have set climate-related targets.

Protecting market integrity through this transformation will be critical.

ASIC will administer the government’s proposed mandatory climate-related disclosure regime when it comes into effect. As with any new regime, we will take a pragmatic approach to its supervision and enforcement – and will develop guidance to help entities meet their obligations.

Once fully implemented, it is anticipated the regime may apply to more than 6,000 entities. To allow time for the necessary preparations, it will be phased in over a number of years.

The time for preparation, though, starts now – and we encourage industry to start thinking seriously about what you need to do today to meet your obligations.

This means considering and putting into place the necessary systems, processes and governance practices. It also means thinking about the data you will require – and how you will record it.

While the direct reporting requirements are intended to apply only to large businesses and financial institutions, we are aware that some small and medium sized businesses may need to engage with climate reporting considerations as a supplier to these large companies. On this point, we have recently published some information for SMEs on our website[4].

While we prepare for these reforms, ASIC has been active under longstanding financial consumer protection laws in addressing greenwashing, particularly in relation to superannuation and investment products.

We won our first greenwashing civil penalty action, against Vanguard Investments, and have two other civil penalty proceedings underway in the Federal Court. We have also achieved more than 60 corrective disclosure outcomes, issued 17 infringement notices and have a number of further inquiries and investigations underway.

I know that there is sometimes a bit of curiosity about why ASIC has treated this area as a priority, and I have to say that I’m somewhat bemused by that reaction.

Our work in this area is grounded in the prohibition of misleading or deceptive representations that has been a feature of Australian consumer protection law for 50 years.

And I make that point because it signals an important feature of ASIC’s approach to enforcement in areas of emerging harm: while we welcome and support law reform where it can improve market integrity and consumer protection, we won’t wait for law reform where we see misconduct that breaches existing requirements.

That is a theme that I will return to in the context of the final trend I’d like to discuss: technological change.

Technological change and digitally enabled misconduct
Technological change has already transformed financial services markets – and the speed of adoption of generative AI indicates that, if anything, the pace of that transformation is likely to continue to increase.

But while it offers significant benefits in terms of operational efficiency and consumer experience, it also brings greater risk of harm. I’d like to touch on three key threads of technological harm in order to illustrate this point and elaborate on what it means for ASIC – those being scams, artificial intelligence and cybersecurity.

Scams
In 2023, Australians lost $2.74 billion to scams, including $1.3 billion to investment scams. While scams have been around forever, the scale of loss due to scams is almost entirely enabled by technology.

Since the establishment of the National Anti-Scam Centre, there has been a significant increase in the amount of investment across government and industry on preventing, detecting and disrupting scams.

ASIC has a particular role within that effort.

We have taken a close interest in the way in which firms are currently addressing scam risk. Our Report 761, published in April 2023, examined scam prevention, detection and response by the four major banks. Since the publication of the report’s findings, the major banks have taken a series of steps to improve their ability to prevent or mitigate scam losses.

We now have a further surveillance project underway, applying a similar approach, to examine the responses of a range of other banks and superannuation funds. The results of this second review will be published later in the year.

Our other key contribution to the fight against scams has been our work to target investment scams through our investment scam website takedown initiative. Since this commenced in July 2023, about 5,000 websites have been removed.

We are cautiously optimistic that our efforts are beginning to have an impact, with scam losses in 2023 down 13.1% on 2022. In the same period, we also saw an 18.5% increase on the number of reports – which suggests public awareness of scams is on the rise. This is important, because reports of scams are a valuable source of intelligence, enabling us to act quickly as the nature of scam misconduct evolves.

The government has of course been consulting on a new Scams Code Framework – and ASIC is supporting this work. This would impose anti-scams obligations on key sectors in the scams ecosystem – initially banks, telecommunications providers and digital platforms. Further funding was allocated in the Budget last week to support this work.

While losses due to scams remain high, this will remain a priority for ASIC – and we will continue to take an interest in how firms that we regulate are complying with their obligations – under existing financial services law and under new requirements as they are introduced.

Artificial intelligence
One emerging scam trend we are seeing is the increased use of deepfake videos of public figures promoting scam online trading platforms. Which brings me to another focus area for ASIC – artificial intelligence.

Just yesterday, ASIC hosted a symposium on regulation of AI. We know that AI has many potential benefits for industry and consumers. In fact, we are considering how we might use it in our own work.

But we also understand that AI opens up entirely new vectors of potential harm to consumers, and to market integrity.

A key concern for us is therefore how businesses are balancing potential benefits with their responsibilities to consumers and investors.

ASIC is currently conducting a review of the use of AI and advanced data analytics involving a sample of entities in the banking, credit, insurance and financial advice sectors.

This is in a context in which – as with some of the issues I have mentioned today – the government is considering the case for law reform. But in the meantime, we remind our regulated population that existing laws – including those relating to financial services, consumer protection and corporate governance – continue to apply.

There are a range of legislative bases on which it’s not too hard to imagine ASIC taking action. In response to, for example, misleading representations or inappropriate product distribution facilitated by AI. Or use of AI in ways that involve breaches of general licensing obligations or the duties of directors or officers in the Corporations Act.

Cybersecurity
The importance of existing legal obligations applies equally to cybersecurity – where we have been particularly vocal and active on the need for businesses to up their game.

Preventing and responding to cyber-attacks, hacks and data-leaks – as with scams and other forms of digitally enabled misconduct – requires the public and private sectors to work together.

When it comes to cyber resilience, we are not just thinking about what firms can do to prevent an attack – but how they prepare for, manage and respond to one when it happens.

I say when rather than if. Because with one cyber-attack reported every six minutes, it’s safe to assume at some point your business will be a target.

ASIC, as part of the Council of Financial Regulators (CFR), recently carried out a series of simulated cyber-attacks with large organisations across the financial services and markets sectors.

These exercises exposed critical vulnerabilities. Perhaps most worrying though was the concerning level of inadequacy in password management – which is surely one of the most fundamental cyber defences.

So, while it is fair to describe cyber-attacks as an ever-growing threat, there are some very simple steps businesses should be taking, which as these recent exercises show, many aren’t.

One of those steps includes implementing multi-factor authentication.

In fact, our work with the CFR in this area has revealed that most recent high-profile incidents in Australia could have been prevented if multi-factor authentication (MFA) had been in place for third-party suppliers.

In ASIC’s view, cyber risk management demands board-level attention, and the level of consideration will influence the response when an attack inevitably occurs. Where directors fail to appropriately manage foreseeable risk we may take action, including for egregious failures to mitigate the risk of cyber-attacks.

Our message in relation to each of these technological themes I have canvassed is simple: corporations’ obligations around good governance and the efficient, honest and fair provision of financial services don’t change with the uptake of new technology. Directors and officers should be actively considering how risks are evolving, and how their responses need to evolve in line with their obligations.

Conclusion
In closing, I’d like to once again thank AFIA for the opportunity to speak with you.

While you all know ASIC well and understand a lot about our approach to regulation and enforcement, I hope that I have left you with a message that our approach is not static.

We are thinking deeply about the major forces that are reshaping financial services markets. We are talking to businesses, technologists, academics and consumer advocates about how they perceive these forces, and the risks and opportunities that they pose.

And we expect the entities that we regulate to be doing the same thing, and reflecting that in their approach to compliance with the law as it stands now, and as it evolves.

Thank you and I now look forward to answering some questions.

Latest News

For Firms

For Consumers