“Co-regulation” encouraged for industry Codes – greater telecommunications surveillance a possibility
The major take-out from the ASIC Enforcement Review Taskforce on industry codes is whether co-regulation in appropriate parts of the financial sector would improve the self-regulatory model.
Several proposals were put forward regarding industry codes, including:
Subjecting the content and governance arrangements for relevant codes to approval by ASIC. This covers activities specified by ASIC as requiring code coverage. The Taskforce identified that codes are not currently required to be approved by ASIC and are not subject to minimum consumer protections and enforcement standards as a key issue.
The Taskforce acknowledges this will involve costs, time and complexity, and will require the relevant industry sector to have the capacity to develop a code which meets ASIC approval.
We believe ASIC should consider revising RG 183 to include base level service standards (rather than “best practice”) administration by an incorporated code body, including robust enforcement provisions. Each subscriber would be required to monitor ongoing compliance and periodically report to the code body.
Entities engaging in activities covered by an approved code should be required to subscribe to that code (by a condition on their AFSL or some similar mechanism). Not all players in relevant industry codes are code subscribers – something the Taskforce considers a key issue and wants to change, to ensure all entities subscribe to their relevant industry codes.
Approved codes should be binding and enforceable against subscribers by contractual arrangements with a code monitoring body. The Taskforce supports a co-regulatory model under which industry participants must subscribe to an ASIC approved code which is binding and enforceable.
Individual customers should be able to seek appropriate redress through the subscriber’s internal and external dispute resolution arrangements for non-compliance with an applicable approved code. Subscribers’ failure to comply with the code is to be considered when resolving disputes with individual customers through a subscriber’s IDR and EDR, on the basis that compliance with the code by subscribers is expected (rather than optional or aspirational).
The code monitoring body, comprising a mix of industry, consumer and expert members, should monitor the adequacy of the code and industry compliance with it over time, and periodically report to ASIC on these matters. The content of the code would remain a matter for industry to determine consistent with the broad criteria set by ASIC.
Proposed Access to Telecommunications Intercept Material
The Taskforce recommends ASIC be given greater powers to access and intercept telecommunications material.
ASIC is not an interception agency or a recipient agency under the Telecommunications (Interception and Access) Act 1979 (TIA Act) – the TIA Act regulates access to telecommunications interception, including live stream of communications content, telecommunications data such as subscriber details, call time and location details, and stored communications including historical text messages, voicemails and emails.
Designated “interception agencies” can seek warrants to intercept telecommunications (a TI warrant) to investigate those defined as a “serious offence” in the TIA Act.
Interception agencies may also communicate TI material to specified agencies if it relates to matters which could be investigated by the recipient agency. The recipient agency may then generally use the TI material to investigate and prosecute “relevant offences” within its jurisdiction.
The Taskforce conducted preliminary analysis of the issues relating to the TIA Act regime and developed the following preliminary position: ASIC should be able to receive TI material to investigate and prosecute serious offences.
The Taskforce considers, on a preliminary basis, that ASIC should be able to receive lawfully intercepted TI material for the purposes of investigating and prosecuting offences, within its jurisdiction, that are defined under the TIA Act as “serious offences”, including the serious Corporations Act offences.
The Taskforce recognises such telecommunication intercept powers intrude on the privacy of individuals. Accordingly, any legislative expansion of the powers needs to be proportionate to the seriousness of the misconduct sought to be addressed and must ensure adequate safeguards to protect against unjustified intrusion into personal privacy.
The ASIC Enforcement Review continues a strong recent direction from the regulator, which is to be more proactive in its role. While these proposals are still in discussion, the overall message is clear: compliance obligations are set to increase, and stronger penalties for breaches on the way.