What advisers should focus on as a new regulatory horizon dawns
The new financial year is in full swing. While advisers’ collective focus will no doubt remain on their clients, considerations to stay ahead of the regulatory curve should always be taken into account.
Advisers are grappling with numerous regulatory changes already in effect or looming in the next 12 months. More change is inevitable as regulators shift their focus toward enhanced consumer protection across various legislation. Many of these changes, from different regulatory bodies, impact the same core policies and procedures within advice businesses – data handling, privacy, cybersecurity, technological resilience, business continuity plans, and complaint handling, to name a few.
The Australian corporate regulator, the Australian Securities and Investments Commission (ASIC), is under pressure following the Senate Economics Committee’s final report on its investigation and enforcement capabilities. The report was critical of ASIC’s role, processes, transparency, and delays in public outcomes to prevent harm to consumers. ASIC has not fully endorsed the recommendations but continues to focus on its regulatory change agenda and priorities.
Firms should be well on their way to implementing the Delivering Better Financial Outcomes and Other Measures Act requirements, which received royal assent on 9 July 2024. Various implementation timeframes impact AFSL holders.
While not a full list of priorities these are some of the impacted areas for advisers.
ASIC’s Priorities:
- Superannuation & Insurance: From 9 January 2025, super funds can charge individual members for advice fees directly from their accounts. ASIC’s scrutiny on these sectors remains intense, particularly around fee transparency, best interest duty, and claims handling.
- Tip: Document your processes meticulously, proactively communicate, and implement robust internal controls and training.
- Financial Hardship & Vulnerable Consumers: Demonstrating genuine commitment to assisting clients facing financial difficulties remains crucial.
- Tip: Review and enhance processes for identifying and supporting vulnerable consumers, ensuring fair treatment and compliance with hardship obligations.
- Complaints: The second reporting period for ASIC’s internal dispute resolution data is due 31 August. Even firms with no complaints must lodge a nil return.
- Tip: Capture data in the prescribed form at the time of the complaint to ensure timely reporting.
- Technology & Operational Resilience: Cyber threats, data breaches, and operational disruptions require constant vigilance.
- Tip: Invest in cybersecurity, conduct regular system audits, and maintain robust business continuity plans. Prepare for incidents with a communication and escalation plan.
- Financial Service Guides (FSG): Since 10 July 2024, firms can provide FSGs before services or make them publicly available.
- Tip: Ensure website FSGs are current and have in-use or from dates.
- Ongoing Fee Arrangements (OFA): From 9 January 2025, DBFO reforms remove the fee disclosure statement, introduce flexibility in anniversary dates, and amend mandatory content for ongoing fee consents.
- Tip: Streamline current processes to prepare for implementation.
Let’s look at the Privacy & Data Protection Act.
Several high-profile data incidents have highlighted the importance of privacy and data protection. The Office of the Australian Information Commissioner’s (OAIC) latest shows 49 financial services firms reporting breaches in the last six months of 2023.
Firms must report breaches under the Notifiable Data Breaches scheme. (NDB). Some areas of focus from the OAIC regarding the Privacy Act and Australian Privacy Principles’ (APP) includes:
- Direct Right of Action & Increased Penalties: Prepare for potential consumer lawsuits and higher penalties for privacy breaches.
- Tip: Conduct a thorough privacy policy review, enhance data security, and train staff.
- Protect Personal Information: Take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access. Destroy or de-identify information no longer needed.
- Tip: Ensure data handling practices comply with regulations, including the disposal of unused data. Update your Business Continuity Plan with details on handling privacy breaches and client communication.
Advice firms need to stay diligent on privacy. Reasonable steps is a broad term and documenting your processes, capturing incidents and reporting, when necessary, need to be part of your reasonable steps. Common failings seen in Advice firms include, recording and not masking tax file numbers, sending client information to the wrong client, failing to correct or update information, collecting more information that is reasonably necessary, using client information for cross-selling and retaining information longer than necessary.
Repeat incidents may indicate a systemic issue. Ensure your teams are periodically trained in their privacy responsibilities and that incidents are escalated in a timely fashion.
The regulatory landscape is in constant flux. ASIC’s focus areas and the Privacy Act review underscore the need for robust compliance, ethical conduct, and data protection. By staying informed and proactive, you can safeguard your business and clients’ interests.
*Amanda Mark is co-CEO of MIntegrity