Regulatory framework

Regulatory authorities

What national authorities regulate the provision of financial products and services?

The Australian Securities and Investments Commission (ASIC) is Australia’s primary corporate, markets, financial services and consumer credit regulator. It is responsible for regulating consumer protection and maintaining market integrity within the financial system.

The Australian Prudential Regulation Authority (APRA) is concerned with maintaining the safety and soundness of financial institutions and is tasked with protecting the interests of depositors, policyholders and superannuation fund members.

The Reserve Bank of Australia (RBA) is Australia’s central bank and provides a range of banking services to the Australian government and its agencies, overseas central banks and official institutions. It is also responsible for maintaining the stability of the financial system through monetary policy and regulating payment systems.

In 2018, the Australian government launched the Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry (Royal Commission), which has made numerous findings that will significantly affect the financial services industry. The Royal Commission found that widespread misconduct has occurred across the financial services industry, and as a result there has been a marked decrease in consumer trust in incumbent institutions and their ability to prioritise consumers and protect consumer data. The Royal Commission also criticised corporate regulators on the lack of action in response to misconduct, often leaving misconduct unpunished or imposing penalties that were insufficiently harsh to act as a deterrent for similar future behaviour.

What activities does each national financial services authority regulate?

ASIC supervises the conduct and regulation of Australian companies, financial markets, financial services providers and professionals who deal and advise in investments, superannuation, insurance, non-cash payments, deposit taking and credit products. ASIC is entrusted with the following responsibilities:

  • As the financial services regulator, ASIC licenses and monitors financial services providers to ensure that they operate efficiently, honestly and fairly.
  • As the consumer credit regulator, ASIC licenses and regulates entities engaging in consumer credit activities including banks, credit unions, finance companies, and mortgage and finance brokers.
  • As the markets regulator, ASIC assesses how effectively authorised financial market operators are complying with their legal obligations to operate fair and transparent markets, and advises Parliament regarding new markets.
  • ASIC also has general administration over company fundraising through the issue or sale of financial products in Australia. It supervises and enforces disclosure requirements to retail investors for companies issuing and selling financial products.

APRA oversees authorised deposit-taking institutions (ADIs) (eg, banks, building societies and credit unions), general insurers, life insurers, friendly societies, reinsurance companies and superannuation funds (other than self-managed funds). APRA is responsible for promoting financial stability in Australia.

The RBA conducts Australia’s monetary policy and issues its currency, as well as having responsibility for promoting the safety and efficiency of the payments system. While it does not supervise the prudential soundness of banks or other ADIs, it does have a role in maintaining the stability of the financial system as a whole.

What products does each national financial services authority regulate?

ASIC’s regulatory framework covers a wide range of financial products offered in relation to the aforementioned activities, including securities, managed investment products, derivatives, general and life insurance, superannuation, margin lending, carbon units, deposit accounts and means of payment (eg, non-cash payment facilities).

APRA’s focus is on industry segments, rather than financial products. The products associated with these segments include banking products, insurance products and superannuation products.

The RBA’s focus is on Australia’s monetary policy, rather than financial products.

Authorisation regime

What is the registration or authorisation regime applicable to financial services firms and authorised individuals associated with those firms? When is registration or authorisation necessary, and how is it effected?

Australian financial services licence (AFSL)

A person who carries on a financial services business in Australia must hold an AFSL or otherwise be exempt from the requirement to be licensed.

The Corporations Act 2001 (Cth) (Corporations Act), which is administered by ASIC, provides that a financial services business is taken to be carried on in Australia where, in the course of carrying on a business, a person engages in conduct that is intended to, or likely to, induce people in Australia to use the financial services they provide, whether or not the conduct is intended.

Broadly, financial services include providing financial product advice, dealing in financial products (as principal or agent), making a market for financial products, operating registered schemes, providing custodial or depository services, traditional trustee company services, or crowdfunding services.

A financial product is a facility through which, or through the acquisition of which, a person makes a financial investment, manages financial risk or makes non-cash payments. Examples of financial products include securities (eg, shares and debentures), interests in managed investment schemes (eg, units in a widely held unit trust), payment products (eg, deposit products and non-cash payment facilities), derivatives, superannuation interests, margin lending facilities and foreign exchange contracts.

The definitions of financial products and services under the Corporations Act are very broad and will often capture investment and advisory activities, wealth management products and services, market making, financial markets and crowdfunding services. Effecting or arranging dealings in financial products (as principal or agent) may also trigger the requirement to hold an AFSL if such activities are conducted in the course of carrying on a financial services business in Australia.

A financial services provider must be granted an AFSL by ASIC prior to providing financial services in Australia. AFSLs are granted after a detailed assessment by ASIC of the provider’s business in relation to the financial services it intends to provide, its ability to meet financial and organisational competence requirements and its overall ability to comply with financial services laws.

Australian credit licence (ACL)

The ACL regime applies to persons who engage in consumer credit activities in Australia, such as providing credit under a credit contract or consumer lease. Any person engaging in consumer credit activities must hold an ACL, or otherwise be exempt from the requirement to hold an ACL. Consumer credit activity is regulated by ASIC under the National Consumer Credit Protection Act 2009 (Cth) (National Credit Act) and associated regulations.

The credit licensing process involves ASIC assessing the types of credit activities proposed to be engaged in under the licence, the ability to comply with National Credit Act obligations and representatives of the licensee for the purpose of it conducting credit activities.


An entity that conducts any ‘banking business’ such as taking deposits (other than as part-payment for identified goods or services) or making advances of money must be authorised as an ADI. APRA is responsible for the authorisation process and granting of ADI licences (as well as ongoing prudential supervision). Recently, APRA released the Restricted ADI framework, which is designed to assist new businesses to enter the banking industry. Eligible entities can seek a Restricted ADI licence, allowing them to conduct a limited range of business activities for two years while they build their capabilities and resources. After such time, they must either transition to a full ADI licence or exit the industry.

Australian market licence (AML)

Financial services providers may also need to hold an AML where they operate a facility through which offers to buy and sell financial products are regularly made and accepted (eg, an exchange). ASIC will only grant an exemption from the requirement to hold an AML if they consider the regulatory outcomes of market licensing are not relevant to the market venue, can be achieved without regulation under the AML regime or impose costs that significantly outweigh the benefits of those outcomes.

There is currently a two-tier licence system in place in relation to financial markets:

  • Tier 1 is designed to facilitate oversight of traditional market models and significant non-exchanges. These include market venues that are, or are expected to become, significant to the Australian economy or to the efficiency, integrity and investor confidence in the financial system.
  • Tier 2 applies to most other licensed market venues. This second tier of licences is specifically targeted at specialised and emerging market venues, and designed to facilitate reduced regulatory oversight and a reduced regulatory burden for lower risk financial markets.

Clearing and settlement (CS) facility

A person who operates a facility that clears and settles transactions in financial products will require a CS facility licence or be exempt from holding one. Both ASIC and the RBA are responsible for the supervision of operators of CS facilities and their participants.

Registerable superannuation entity (RSE) licence

Under the Superannuation Industry (Supervision) Act 1993 (Cth) (SIS Act), if an entity intends to operate as an RSE, they must hold an RSE licence issued by APRA. RSEs do not include exempt public sector superannuation schemes or self-managed superannuation funds regulated by the Australian Taxation Office. There are four classes of RSE licence: public offer entity licence, non-public offer entity licence, extended public offer entity licence and acting trustee licence.

RSE licensees must comply with a number of ongoing non-exhaustive requirements under the SIS Act. These obligations include complying with the RSE licensing obligations, notifying APRA of any significant breaches, or likely breaches, of a prudential requirement within 10 days of becoming aware of the breach, and registering each superannuation entity for which it intends to be an RSE licensee. APRA may cancel an RSE licence if it has reason to believe the licensee will breach a licence condition.

General insurance licence

Under the Insurance Act 1973 (Cth) (Insurance Act), it is an offence for an entity to conduct insurance business in Australia without obtaining a general insurance licence from APRA. The Insurance Act defines ‘insurance business’ as the business of undertaking liability by way of insurance (including reinsurance) in respect of any loss or damage. The liability is contingent upon the occurrence of a specified event, and any business incidental to insurance business.

The Insurance Act only allows corporations or underwriters to carry out insurance business in Australia, which means APRA will not consider applications from partnerships or unincorporated entities. Additionally, certain insurance business activities do not come within the definition of ‘insurance business’, such as life insurance, health insurance or the provisions of benefits for funeral services.


What statute or other legal basis is the source of each regulatory authority’s jurisdiction?

ASIC is established under the Australian Securities and Investments Commission Act 2001 (Cth) (ASIC Act), and regulates financial services in Australia under the Corporations Act. ASIC also has enforcement powers under the Corporations Act and the National Credit Act.

APRA is established under the Australian Prudential Regulation Authority Act 1998 (Cth), and administers the Banking Act 1969 (Cth) (Banking Act), the Insurance Act, the Life Insurance Act 1995 (Cth) and the SIS Act.

The RBA’s jurisdiction and powers are set out in the Reserve Bank Act 1959 (Cth).

What principal laws and financial service authority rules apply to the activities of financial services firms and their associated persons?


The Corporations Act and the Corporations Regulations 2001 (Cth) are the primary laws that regulate the conduct and disclosure obligations of financial services providers. This is primarily administered by ASIC, with the remit of maintaining, facilitating and improving the performance of the financial system and promoting informed participation by investors and consumers. ASIC sets out its approach to regulation through the publication of regulatory guides (RGs).

Additionally, ASIC sets out obligations for individuals to report to ASIC certain breaches of the law. Australian financial services licensees must notify ASIC in writing if there has been a ‘significant’ breach, or likely breach, of their obligations under the Corporations Act, as soon as practicable, and in any event within 10 business days of becoming aware of the breach or likely breach. Relevant factors that determine whether a breach is ‘significant’ include the frequency of similar previous breaches, the impact of the breach on the licensee’s ability to provide financial services, actual or potential loss arising from the breach and the extent to which the breach indicates the licensee’s arrangements to ensure compliance with those obligations is inadequate.


The provisions of the Banking Act empower APRA to regulate deposit-taking institutions (banks, building societies, superannuation funds, insurance companies and credit unions) under a single licensing regime and develop prudential policies that balance financial safety and efficiency, competition, contestability and competitive neutrality.

Entities that conduct any ‘banking business’ such as taking deposits (other than as part-payment for identified goods or services) or making advances of money must be licensed as an ADI. The new Restricted ADI framework allows new businesses entering the banking industry to conduct a limited range of business activities for two years, before either transitioning into a full ADI or exiting the industry.

The Financial Sector (Collection of Data) Act 2001 (Cth) (FSCODA)

FSCODA allows APRA to collect data from registrable financial corporations and facilitates the collection of statistical data. Under FSCODA, an entity will broadly be a registrable corporation if it engages in the provision of finance in the course of carrying on business in Australia. Corporations specifically excluded from being registrable under the Act include banks, building societies, credit unions, public authorities, friendly or benefit societies, insurance companies and companies authorised by law to act as an executor, administrator and trustee. Additionally, an entity is not a registrable corporation for the purposes of FSCODA if:

  • its assets in Australia, consisting of debts due to the corporation resulting from transactions entered into in the course of provision of finance by the corporation, do not exceed A$50 million in aggregate value; and
  • the principal amounts outstanding on loans or other financing, as entered into in a financial year, do not exceed A$50 million in aggregate value.

Entities that fall within the registrable corporations requirement have a number of obligations under the FSCODA. Entities must provide APRA with relevant documentation within 60 days of becoming a registrable corporation or face a potential fine of A$10,500 for every day of non-compliance. Similarly, entities must inform APRA within 60 days of any change of name or registered address, or change in principal methods of borrowing or lending. Entities that fail to do so may be subject to a potential fine of A$2,100 for every day of non-compliance.

From 1 July 2019, registered corporations will also be required to appoint an auditor and audit the corporation to ensure it fulfils its responsibilities in accordance with reporting standards.

Anti-money laundering and counter-terrorism financing (AML/CTF)

Most financial services businesses will also have obligations under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF Act) and the Anti-Money Laundering and Counter-Terrorism Financing Rules Instrument 2007 (No. 1) (AML/CTF Rules). These laws are administered by the Australian Transaction Reports and Analysis Centre (AUSTRAC) and apply to entities that provide any ‘designated service’ that has the potential to facilitate money laundering or terrorism financing (eg, by factoring a receivable, providing a loan, or issuing or selling securities). Entities that provide designated services are known as ‘reporting entities’ and are required to enrol with AUSTRAC, conduct customer due diligence on customers prior to providing any designated services and adopt and maintain an AML/CTF programme. Reporting entities also have numerous reporting obligations such as:

  • threshold transaction reports;
  • international funds transfer instruction reports;
  • suspicious matter reports;
  • cross-border movement reports; and
  • AML/CTF compliance reports.

Australian Consumer Law

Businesses in Australia are also subject to the key conduct prohibitions set out in Australian Consumer Law, which is enforced by the Australian Competition and Consumer Commission (ACCC). Broadly, these include prohibitions on misleading and deceptive conduct, false or misleading representations, unconscionable conduct and unfair contract terms. While the Australian Consumer Law does not apply to financial products and services, these consumer protections are enforced by ASIC either through similar provisions in the ASIC Act or also by delegated power from the ACCC (eg, taking action on misleading or deceptive conduct with respect to initial coin offerings).

Scope of regulation

What are the main areas of regulation for each type of regulated financial services provider and product?

The main areas of regulation and supervision administered by ASIC under the Corporations Act are licensing, disclosure and registration. Under the ASIC Act, ASIC also enforces consumer protection provisions in a financial services context, including prohibiting misleading and deceptive conduct in the provision of financial services.

APRA is the prudential regulator of the financial services industry that licenses and supervises banking, insurance and superannuation businesses to ensure that under all reasonable circumstances, the financial promises made to their beneficiaries are kept.

The RBA provides a range of banking services to the Australian government and its agencies, overseas central banks and official institutions. As discussed in question 1, it is also responsible for maintaining the stability of the financial system through monetary policy and regulating payment systems.

Financial services providers may also be subject to AML/CTF requirements (discussed in question 6).

Additional requirements

What additional requirements apply to financial services firms and authorised persons, such as those imposed by self-regulatory bodies, designated professional bodies or other financial services organisations?

Financial services providers that provide financial services to retail clients in Australia must be a member of the Australian Financial Complaints Authority (AFCA). AFCA is a single external dispute resolution scheme for the financial services industry that replaced the Financial Ombudsman Service, the Credit and Investments Ombudsman and Superannuation Complaints Tribunal in late 2018. Its primary responsibility is to resolve consumer complaints regarding financial providers and it can also make decisions that bind these providers.

Financial services providers may also be regulated under the Privacy Act 1988 (Cth) (Privacy Act), including the 13 Australian Privacy Principles, which impose obligations on the collection, use, disclosure, retention and destruction of personal information. In the event of a data breach, entities regulated under the Privacy Act are required to notify any affected individuals and the Office of the Australian Information Commissioner (OAIC) where such a breach is likely to result in serious harm to those individuals.

As discussed in question 6, financial services providers may also be subject to AML/CTF requirements or obligations under the Australian Consumer Law.


Investigatory powers

What powers do national financial services authorities have to examine and investigate compliance? What enforcement powers do they have for compliance breaches? How is compliance examined and enforced in practice?

ASIC has very broad powers to take action to regulate the financial services industry. Financial services providers have an obligation to keep ASIC informed of any significant breaches of its obligations or the law. However, where ASIC has reason to suspect there has been a potential breach, it has wide investigative powers to require a person or entity to provide documents, information and attend an examination, inspect documents, compel assistance with an investigation and apply for a search warrant. ASIC will consider a range of factors in deciding whether to take enforcement action. Enforcement may take the form of an adverse publicity order, public warning, infringement notice, enforceable undertaking, banning orders or disqualification of persons from managing corporations.

ASIC also has the ability to commence court proceedings against persons or entities, including obtaining injunctive relief, civil or criminal prosecution. Further, the Treasury Laws Amendment (Design and Distribution Obligations and Product Intervention Powers) Bill 2018 (Bill) has proposed the introduction of a product intervention power for ASIC. The Bill proposes to amend the Corporations Act and National Credit Act to provide ASIC the power to prevent or respond to significant consumer detriment in respect of certain financial products and credit products by making public intervention orders. Relevant factors to consider when determining whether risk of detriment is ‘significant’ include the nature and extent of the detriment (eg, whether any actual or potential financial loss is suffered) as well as the impact that the detriment has had, will have or is likely to have, on consumers.

APRA has broad powers to take enforcement action against uncooperative institutions (including associated persons). This may include taking control of the entity, effecting a restructure or exit from the industry. APRA may undertake a formal investigation into the affairs of an institution, with enforcement including additional conditions imposed on an institution’s licence, disqualification of individuals, restraining orders, enforceable undertakings, or criminal prosecution.

A key finding from the Royal Commission was that regulators had failed to take appropriate enforcement action in response to known compliance issues. The financial services industry is expecting more proactive and firmer action to be taken by regulators in the future. Despite both ASIC and APRA’s available powers, the Royal Commission has determined that the regulators have approached enforcement with insufficient stringency. Following these findings, both ASIC and APRA have commenced internal reviews of their enforcement procedures and committed to a firmer approach in the future to resolving issues with non-compliant corporations.

AUSTRAC may pursue a wide range of enforcement sanctions under the AML/CTF Act. These include imposing civil and criminal penalties (which can be significant in value), accepting enforceable undertakings, issuing infringement notices, giving remedial directions, and cancelling or suspending registrations of digital currency exchange providers and designated remittance services. AUSTRAC typically examines compliance through industry-wide or reporting-entity-specific surveillance, and utilises its cooperative enforcement powers (eg, enforceable undertakings, required compliance reviews). However, over the past few years AUSTRAC has become more active in pursuing civil and criminal penalties. In July 2015, the AUSTRAC CEO made an application for a civil penalty order against three related entities. The application was made after AUSTRAC found that there had been ‘extensive, significant and systemic non-compliance’. During proceedings, the group admitted it had insufficient processes for consistent management oversight, assurance and operational execution of its AML/CTF programme, and received a record A$45 million penalty.

More recently in mid 2018, following an AUSTRAC investigation into a major Australian bank’s compliance and risk-management practices, a A$700 million penalty and costs of A$2.5 million were awarded against the financial institution for failure to introduce appropriate controls to manage and mitigate risk. This is the largest civil penalty in Australian corporate history.

Disciplinary powers

What are the powers of national financial services authorities to discipline or punish infractions? Which other bodies are responsible for criminal enforcement relating to compliance violations?

See question 9. There are a range of other bodies that are responsible for compliance enforcement, depending on the law that has been contravened.

ASIC may pursue a variety of enforcement remedies, depending on the seriousness and consequences of the misconduct. These remedies include imposing criminal sanctions (eg, imprisonment or financial penalties, or both), civil penalties and revocation, suspending or varying a licence. APRA may also pursue criminal action against persons or institutions that are unwilling or unable to cooperate.

Additionally, the OAIC is responsible for investigating and taking appropriate enforcement action against contraventions of the Privacy Act and associated data and privacy obligations. Similarly, the ACCC has the power to investigate and take enforcement action for contraventions of the Competition and Consumer Act 2010 (Cth).

Currently, criminal cases under the Corporations Act must be brought in state courts and not at the federal level, with the Royal Commission finding that ASIC primarily instigates criminal proceedings in the financial services sector against individuals. Any criminal prosecutions for misconduct by banks and other financial institutions are heard in state courts and subsequently must compete with state cases for resources and scheduling. In late 2018, the Attorney-General’s Department conducted a review to consider whether the jurisdiction of the Federal Court should be broadened to include corporate crime on the basis that it may be able to manage cases faster and more efficiently than state courts. The outcome of the review is expected to be released in early 2019.


What tribunals adjudicate criminal and civil financial services infractions?

AFCA resolves disputes between consumers and financial services providers and may require a financial services firm to pay compensation, release security over a debt or reinstate, rectify or properly perform a contract. AFCA’s jurisdiction in adjudicating disputes between consumers and financial services firms is up to A$1 million per dispute. The monetary limit on awards the AFCA can make for a claim is A$323,500, except for general insurance broking, income stream product disputes and uninsured third-party motor vehicle claims.

The Administrative Appeals Tribunal (AAT) is an independent body that adjudicates civil financial services infractions by conducting a merits review of administrative decisions of corporation and financial services regulation. The AAT has the power to affirm, vary, set aside or remit a decision.

Criminal infractions are adjudicated in Australian courts only.


What are typical sanctions imposed against firms and individuals for violations? Are settlements common?

See question 10 with respect to sanctions and enforcement remedies.

While the court is never obliged to give effect to agreed settlements, it will always consider whether settlements are appropriate on the basis of materials provided by the parties and the contents of any agreed statement of facts.

Generally, ASIC has demonstrated a willingness for settlements as a way to reach cheaper and faster outcomes in most disputes. For ASIC, they can accept an enforceable undertaking and issue a media release, while the other party is able to avoid litigation and continue business operations. ASIC has also entered into settlement agreements with various banking institutions to provide compensation for losses suffered.

Despite ASIC’s willingness to reach settlement agreements, the Royal Commission has questioned this approach. The Royal Commission has found that ASIC has been too prepared to avoid compulsory enforcement action and instead attempt to settle all disputes by agreement, with such an approach often leaving facts unestablished in court and not challenging the effectiveness of the law.

Compliance programmes

Programme requirements

What requirements exist concerning the nature and content of compliance and supervisory programmes for each type of regulated entity?

The nature and content of compliance varies depending on the activities in which the entity is engaged.


Australian financial services licensees have general obligations that must be complied with under the Corporations Act. These obligations (discussed in further detail in question 15) include ensuring financial services are provided efficiently, honestly and fairly, managing conflicts of interest, complying with licensing conditions and financial services laws, carrying out supervisory arrangements, maintaining a dispute resolution system for retail clients and ensuring representatives of the licence are adequately trained and competent.

The extent of a licensee’s obligations is determined by the nature, scale and complexity of the business. Relevant factors include the products and services offered, volume and size of the transactions, number and type of clients (wholesale or retail), the diversity and structure of the operations, size of the organisation and whether financial services is a core provision of the business. It is crucial that licensees have adequate processes, procedures or arrangements that cover all obligations, including general obligations, licensing conditions and any applicable financial services law.

Additionally, licensees must have adequate risk management systems in place on an ongoing basis to identify, evaluate and mitigate potential risks to an acceptable minimum. Risk management systems must be based on a structured and systematic process that take into account a licensee’s obligations.


Market licensees must ensure continuous compliance with their licensing obligations and report on the extent of their compliance annually. Relevant factors for ensuring compliance include monitoring and assessing to identify actual or potential breaches, ensuring the market is fair, orderly and transparent and closely supervising the market to handle conflicts of interest, monitor conduct of participants and trading activity, and dealing with suspected breaches.


Australian credit licensees must comply with general obligations that aim to ensure businesses are operated properly. In addition to these, licensees must also adhere to more specific obligations and regulations, which include:

  • responsible lending requirements that ascertain and verify whether a consumer’s financial situation and assess whether the credit contract is suitable;
  • requirements in the National Credit Code dealing with precontractual disclosure and conduct in relation to the terms of credit contracts and consumer leases; and
  • maintaining trust accounts.

Credit licensees must also lodge an annual compliance certificate with ASIC to certify that their obligations as a licensee have been complied with.

CS facility licensees

CS facility licensees must comply with a number of general obligations under the Corporations Act. These obligations include complying with the RBA’s financial stability standards, reducing systemic risk, providing services in a fair and effective manner, complying with licensing conditions, ensuring adequate arrangements are in place for handling conflicts of interest and enforcing compliance with the facility’s operating rules, and having sufficient resources to operate supervisory arrangements. It is important for CS facility licensees to report to ASIC and RBA at least annually on whether these licence obligations are being satisfied.


ADI licence holders have a number of ongoing obligations. These include ensuring that their risk management and internal control systems are adequate and appropriate for monitoring and mitigating risk, satisfying requirements of the composition and functioning of the board and ensuring people in key positions of the ADI are fit and proper.


How important are gatekeepers in the regulatory structure?

Gatekeepers play a crucial role in the overall operation of the Australian financial system. Although the roles and responsibilities of gatekeepers in the financial services industry are governed by ASIC, the system is ‘self-executing’. ASIC expects gatekeepers to act professionally and treat investors fairly, maintain effective risk management and internal supervision, and ensure investors are fully compensated when losses result from poor conduct. Within the financial services system, the key gatekeepers include directors, financial planners and financial advisers, custodians, research houses, auditors, trustees and responsible entities.

Directors and company officers function as the primary gatekeepers in maintaining the integrity of financial markets and upholding regulatory obligations. Companies are expected to have strong internal auditing and compliance functions, and directors are expected to drive a strong culture of compliance within their organisation. ASIC closely monitors gatekeeper conduct and holds directors to account for failure to properly execute their obligations. It is important for companies to have proper internal processes for handling revelations from whistle-blowers, train staff on company conduct and obligations, and periodically check on the effectiveness of compliance policies and regulatory requirements, including identifying, escalating and reporting breaches to ASIC.

ASIC has overall responsibility for the surveillance, investigation and enforcement of the financial reporting and auditing requirements of the Corporations Act. Internal auditors must maintain independence from the audit committee or board of directors in order to form a true and fair opinion about whether the financial report complies with the accounting standard. Directors must not rely on the auditor when forming their own opinion on the financial report and ensure the company has its own system, processes, controls and resources to produce high-quality financial reports.

Such gatekeepers are also coming under greater scrutiny in the banking industry, including with the introduction of the Banking Executive Accountability Regime (BEAR). Administered by APRA, BEAR imposes increased accountability obligations on senior executives and directors of ADIs in relation to their specific roles within the organisation as it relates to compliance with laws and notification of non-compliance.

Directors' duties and liability

What are the duties of directors, and what standard of care applies to the boards of directors of financial services firms?

Duties are imposed on directors under both general law and the Corporations Act. Among these duties, some of the most significant are:

  • to act in good faith in the best interests of the company and for a proper purpose;
  • to exercise care and diligence;
  • to avoid conflicts between the interests of the company and personal interests;
  • not to improperly use a position to gain a personal advantage, or to cause detriment to the company;
  • not to improperly misuse information;
  • to maintain proper financial and accounting records;
  • to prevent the company from trading while insolvent (ie, while it is unable to pay its debts as and when they fall due); and
  • if the company is being wound up, to report to the liquidator on the affairs of the company and provide assistance.

In addition, at common law and in equity, directors are regarded as fiduciaries and therefore owe a duty of care to their company. Directors are required to exercise their powers with the standard of care and diligence that a reasonable person would use in similar circumstances. There is no specified standard of care. However, when determining whether a duty has been breached, a court will have regard to factors such as the circumstances of the business, the responsibilities of the directors within the company, the outcomes of decisions and the foreseeable risk of harm associated with them.

Additional obligations apply to directors on the board of a responsible entity of a registered managed investment scheme. These duties include:

  • to act honestly and exercise the degree of care and diligence that a reasonable person would exercise in the position;
  • to act in the best interests of the members of the scheme;
  • not to improperly misuse information;
  • not to improperly use a position to gain a personal advantage or cause detriment to the members of the scheme; and
  • taking reasonable steps to ensure the responsible entity complies with licensing requirements and the scheme’s constitution and compliance plan.

AFSL holders also owe a number of statutory obligations under the Corporations Act in addition to complying with licensing conditions and financial services laws and ensuring their representatives do so also. These obligations include taking all reasonable steps to ensure financial services are provided efficiently, act honestly and fairly, managing conflicts of interest and maintaining the resources and competence to provide the services. If an AFSL holder’s clients include retail clients, there must be an internal dispute resolution system and also appropriate compensation arrangements in place, as well as a duty to act in the best interests of their clients and prioritise their clients’ interests if personal advice is being provided by the licensee.

Responsible managers are key individuals within a business and are thoroughly checked by ASIC to ensure that the AFSL holder is ‘competent’. Responsible managers must be of good fame and character, have the requisite skill and knowledge and be directly responsible for significant day-to-day decisions about the ongoing provision of financial services.

In January 2019, ASIC amended information required for body corporates applying for an AFSL and now requires information about their ‘responsible officer’. ASIC must be satisfied that there is no reason to believe that any of the applicant’s responsible officers are not of good fame or character. A responsible officer is defined as an officer of the AFSL applicant who would perform duties in connection with the holding of an AFSL. An officer includes a director or secretary of the applicant, a person who makes (or participates in making) decisions that affect all or a substantial part of the applicant’s business, or a person in accordance with whose instructions the directors of the applicant are accustomed to act. Responsible officers may also be responsible managers of the AFSL holder.

ASIC must also be satisfied that an individual is a ‘fit and proper person’ to engage in credit activities before an ACL can be granted. ASIC considers whether each of the people involved in managing a credit business are fit and proper people to perform that role. Relevant factors that determine a fit and proper person include competency, attributes of good character, conflicts of interest and any disqualification from the law.

When are directors typically held individually accountable for the activities of financial services firms?

Although a company has a distinct legal existence, directors may be held individually accountable under certain circumstances for any adverse outcomes deriving from activities of the firm. Key areas of potential personal liability include debts incurred when the company becomes insolvent due to insolvent trading, breach of director’s duties, guarantees over personal assets, illegal phoenix activity involving the intentional transfer of assets from an indebted company to a new company to avoid tax obligations or debts incurred by companies acting as trustees.

Directors may also be held personally liable for breaches of other laws administered by other agencies, such as failing to satisfy a company’s tax obligations.

A director who fails to perform his or her duties may be guilty of a criminal offence with a penalty of up to a maximum of A$200,000 or imprisonment of up to five years, or both, be ordered to pay a civil financial penalty of up to A$200,000, be personally liable to compensate the company or others for any loss or damage they suffer, and be prohibited from managing a company.

Where a responsible manager of an AFSL holder acts solely in the capacity to maintain organisational competency, it is unlikely that they would be held personally liable unless they contributed to any breach, in which case they may be banned or required to pay a fine. However, if a responsible manager is also an employee providing financial advice or director of the licensee, he or she may be held personally liable if the advice breaches financials services laws or where the director’s duties (discussed above) are breached.

Private rights of action

Do private rights of action apply to violations of national financial services authority rules and regulations?

Private rights of civil action apply to violations in certain circumstances, including for a breach of a statutory duty under the Corporations Act, a breach of the common law, breach of contract or breach of fiduciary duty.

To establish that there was a breach of a statutory duty, a claimant bringing a private action must first prove that a duty of care was owed, the duty was breached, the breach caused the claimant to suffer an injury and the damage was a foreseeable consequence of the breach of the duty.

Standard of care for customers

What is the standard of care that applies to each type of financial services firm and authorised person when dealing with retail customers?

Financial services providers are required to provide financial services in a way that is fair, efficient and honest. This standard applies to the provision of all financial services, regardless of the sophistication or experience of clients. Higher standards apply to financial services that are provided to retail clients. Financial services providers that provide personal financial product advice to retail clients have a further obligation to act in the best interests of such clients, and prioritise client needs over the provider’s own.

Does the standard of care differ based on the sophistication of the customer or counterparty?

The Corporations Act distinguishes between retail and wholesale clients, with all clients assumed to be retail unless they satisfy one of the wholesale categories. The wholesale categories include clients with a gross annual income of A$250,000 or more in each of the previous two years or net assets of at least A$2.5 million.

Under the Corporations Act, retail investors are afforded greater consumer protections than a ‘sophisticated investor’. Sophisticated investors are expected to have a greater level of knowledge and, to a degree, to be able to look after their own interests to a greater extent as compared with retail investors.

On the other hand, firms providing financial services to retail clients must adhere to certain conduct and disclosure obligations. These obligations are designed to ensure retail clients receive good quality advice and are able to make informed decisions on that advice. Generally, a financial services firm must provide various disclosure documents before issuing a financial product to retail clients. This includes a financial services guide (disclosing what service the client receives), a statement of advice (disclosing what personal advice has been given considering the client’s circumstances) and a product disclosure statement (PDS) (disclosing what the financial product the client is buying), as well as information regarding compensation and complaint handling arrangements.

ASIC has published guidance for issuers of certain superannuation products and managed investment products issued to retail clients, which are required to make fee disclosures. Broadly, the enhanced fee disclosure regulations require an issuer to issue a PDS, describe certain transactions in periodic statements, disclose indirect costs and, in the case of superannuation products, other fees, and total fees and costs. Notably, this guidance has recently been reviewed by ASIC, which is seeking industry feedback on proposals to update the guidance and associated regulations with a view to ensuring fees and costs information is practicable for industry while being informative for consumers.

Rule making

How are rules that affect the financial services industry adopted? Is there a consultation process?

Rules that affect the financial services industry in Australia include federal legislation and associated regulations, regulator-specific rules, regulatory guidance and class orders. Much of the applicable legislation allows regulators to vary its effect on industry participants (including relief) through the use of RGs and class orders.

The adoption process varies depending on the nature of the rules or regulations being implemented or changed. Consultation processes will generally be undertaken with industry participants in relation to variations that will significantly alter the current regulatory framework. ASIC issues consultation papers seeking feedback from stakeholders on matters it is considering. These consultation papers outline ASIC’s proposals and questions for public consultation (eg, whether or not they agree with ASIC’s proposals and supporting reasons). Based on the public comments received from submissions to ASIC, ASIC decides whether or not to implement the changes to the relevant rules.

Cross-border issues

Cross-border regulation

How do national financial services authorities approach cross-border issues?

The Corporations Act applies, according to its tenor, in relation to acts and omissions both in Australia and outside of the jurisdiction. Further, each provision is taken to apply, according to its tenor, to all natural persons (whether resident in Australia or not, and whether Australian citizens or not) and all bodies corporate and unincorporated bodies (whether formed or carrying on business in Australia or not). Therefore, the Corporations Act may apply in certain circumstances to corporations not having a nationality or territorial connection to Australia and corporations having a territorial connection to Australia where the conduct in question has not occurred in Australia. Financial services authorities have exercised investigative and enforcement rights arising in the context of this broad application. That is, simply adhering to obligations in Australia while engaging in misconduct in another jurisdiction will not necessarily excuse an entity from the ambit of the Corporations Act.

For financial services authorities, a relevant question is whether they are carrying on business in Australia.

If an offshore entity satisfies the definition of a ‘foreign company’ under the Corporations Act (ie, broadly, it is a company registered outside Australia), it must be registered with ASIC as a foreign company to carry on business in Australia.

Whether a body is ‘carrying on a business in Australia’ will depend on certain legal principles and the circumstances. An entity will be deemed to be carrying on a business in Australia if it has a place of business in Australia, establishes or uses a share transfer office or share registration office in Australia or administers, manages or otherwise deals with property situated in Australia as an agent, legal representative or trustee. Generally, the greater the level of system, repetition and continuity associated with an entity’s business activities in Australia, the greater the likelihood that those activities amount to ‘carrying on a business’ in Australia. For example, an insignificant and one-off transaction is arguably not indicative of a business being carried on in Australia. However, a number of small transactions occurring regularly, or a large and one-off transaction, may amount to carrying on a business.

As discussed above, whether an entity carries on a financial services business in Australia is a question of whether it intended to induce Australian consumers to access or receive the financial services it provides. This means the financial services regulatory regime may still apply even where that service is provided offshore.

International standards

What role does international standard-setting play in the rules and standards implemented in your jurisdiction?

Generally, Australia intends to implement most international standards and plays an active role in the setting of such standards. For example:

  • the RBA is a member of the Financial Stability Board;
  • the RBA and APRA are members of the Basel Committee on Banking and Supervision;
  • AUSTRAC plays a key role in the Financial Action Task Force, Egmont Group of Financial Intelligence Units and the Asia/Pacific Group on Money Laundering; and
  • ASIC is a member of the International Organization of Securities Commissions.

Broadly, ASIC is also particularly active in entering into cooperation agreements with overseas regulators to better understand and align the regulatory frameworks across the jurisdictions.

Update and trends

Recent developments

Are there any other current developments or emerging trends that should be noted?

In late 2018, ASIC announced that from 30 September 2019 it will no longer allow foreign financial services providers (FFSPs) to rely on ‘passport’ class order relief or on ‘limited connection’ relief from the requirement to hold an AFSL in order to provide financial services in Australia to wholesale clients. Instead, ASIC will be proceeding with its proposal to implement a new regime that will require FFSPs to apply for a foreign AFSL.

The Australian government has also released for consultation an exposure draft for a new bill intended to introduce design and distribution obligations in relation to financial products. This bill will impose four new obligations on persons who engage with potential investors in relation to a product (eg, a person who is responsible for making offers, or giving advice or disclosure to potential investors). The new legislation will also provide ASIC with additional powers to request information from service providers and enforce the new arrangements including through civil and criminal penalties.

The Royal Commission has brought into focus a decrease in consumer trust in the financial services industry generally. The Interim Report of the Royal Commission has stated that from now on, ASIC will need to be firmer and more proactive in taking enforcement action rather than reaching negotiated outcomes (as discussed in question 12). Both ASIC and APRA have commenced internal reviews of their respective enforcement policies and procedures, with the two regulators to collaborate to clarify respective lines of responsibility.

With the new open banking regime to be the first area included in the national consumer data framework, financial services providers will be focused on extracting commercially beneficial insights from data sets quickly and inexpensively in order to better tailor their services for clients. A key focus for regulators will be ensuring that consumer protection remains an integral consideration, with the availability of new data sets to change the competitive nature of the industry and the interaction with consumer protection.