Issue 668, 2 May 2018
In this issue:
- Information security: APRA consultation on new prudential standard
- ASIC industry funding levies: regulation enhancements
- New dispute resolution framework: Ministerial announcements, regulations and website
- Greater flexibility for SMSFs
- Increasing ASIC’s powers and penalties: response to ASIC enforcement review taskforce
- Proposed increase to Medicare levy abandoned
- APRA revises prudential standard SPS 310: Audit and related matters
- Cyber risk and operational due diligence: APRA insight
Information security: APRA consultation on new prudential standard
As outlined in ASFA Action issue 663, APRA has released a consultation package containing a discussion paper and proposed new cross-industry prudential standard on information security.
The discussion paper notes that information security management requires ongoing vigilance, improvement, investment and oversight, while technological developments continue to expand the scope and sophistication of potential malicious activity against financial institutions. APRA considers that a continuous cycle of investment in sound practices is required of APRA-regulated entities.
APRA’s proposed requirements are set out in a new cross-industry prudential standard, draft Prudential Standard CPS 234 Information Security. Once finalised, CPS 234 will apply to licensees of registrable superannuation entities as well as authorised deposit-taking institutions, general insurers, life insurers, private health insurers, and authorised or registered non-operating holding companies.
APRA is aiming to finalise the new standard in November, with a view to it commencing 1 July 2019. APRA will also undertake separate consultation on updates to its existing prudential guidance on information security, SPG 234, to reflect the final version of CPS 234.
APRA is seeking feedback from industry relating to the compliance impact of the proposals and any other substantive costs associated with the changes. Specifically, information is sought on any changes to compliance costs incurred by businesses as a result of APRA’s proposals.
If you have any feedback that you would like ASFA to consider including in a response to APRA, please forward it to Byron Addison by close of business Friday 18 May 2018.
ASIC industry funding levies: regulation enhancements
Treasury has released exposure draft regulations and explanatory material proposing amendments to the levies in the ASIC industry funding model. This process is separate to the recent Treasury consultation on the exposure draft legislation for the ASIC fee-for-service regime (see ASFA Action issue 667).
If you have any feedback you would like ASFA to consider including in our response to Treasury, please forward it to Andrew Craston by close of business Tuesday 8 May.
New dispute resolution framework: Ministerial announcements, regulations and website
The Minister has announced her formal authorisation of the new financial services external dispute resolution body, the Australian Financial Complaints Authority (AFCA), confirming that AFCA will commence hearing complaints from 1 November 2018 and also made announcements regarding appointments to the AFCA Board. The government has separately made regulations supporting the new dispute resolution framework and AFCA has launched its website.
The Treasury Laws Amendment (Putting Consumers First—Establishment of the Australian Financial Complaints Authority) Act 2018 (AFCA Act) was passed by Parliament on 14 February (see ASFA Action issue 660). The AFCA Act introduces a new external dispute resolution (EDR) framework and an enhanced internal dispute resolution (IDR) framework for the financial system.
The new EDR framework involves the creation of AFCA as a single EDR scheme to replace the Superannuation Complaints Tribunal (SCT) and the existing EDR schemes approved by ASIC, the Financial Ombudsman Service and Credit and Investments Ombudsman. The enhanced IDR framework will require financial firms—including trustees of APRA-regulated superannuation funds—to report their IDR activities in accordance with ASIC requirements and allow ASIC to publish information it receives under new reporting requirements. ASIC has indicated it will consult on the enhanced IDR framework following the establishment of AFCA.
On 1 May, the Minister for Revenue and Financial Services, the Hon Kelly O’Dwyer MP, announced that financial firms will be required to be members of AFCA by 21 September. AFCA will commence hearing complaints from 1 November 2018 (previously, the Minister had indicated a date no later than 1 November – see ASFA Action issue 660).
The Minister has also confirmed that there will be no transfer of open complaints between the Superannuation Complaints Tribunal and AFCA, reversing an earlier announcement. Treasury has published a brief factsheet to assist consumers who may have a complaint currently with the SCT or are considering making a complaint.
The Minister also announced that, under the power provided to her by the AFCA Act, she has appointed four directors to the AFCA board. This follows the announcement in March that former Senator the Hon Helen Coonan had been appointed as the inaugural chair of AFCA (see ASFA Action issue 662).
These announcements follow the registration of the Treasury Laws Amendment (Putting Consumers First–Establishment of the Australian Financial Complaints Authority) Regulations 2018 (the AFCA Regulations) in late April. The AFCA Regulations make consequential amendments to existing regulations as a flow-on effect of the AFCA Act.
The AFCA Regulations include amendments to ensure current requirements that apply to ASIC approved EDR schemes or the SCT, are replaced with requirements that apply in relation to the AFCA scheme, and repeal provisions that have become redundant as a result of the transition to the new dispute resolution framework. This involves changes to a number of existing regulations, including the Corporations Regulations 2001, Superannuation Industry (Supervision) Regulations 1994 and the Superannuation (Resolution of Complaints) Regulations 1994.
The AFCA Regulations commenced on 25 April, however the specific commencement dates for a number of the amendments are aligned to key dates announced by the Minister on 1 May. The Regulations were the subject of consultation during May-June 2017, along with the exposure draft version of the AFCA Act (see ASFA Action issue 629).
The website for AFCA has now been launched, and includes a timeline of key dates and information about how financial firms can apply for membership. AFCA has also issued a media release providing full details of its inaugural board and confirming that as part of the interim funding arrangements for AFCA, there will be “separate and appropriate arrangements for the funding of superannuation disputes”. These will be based on the parameters applied for the current APRA supervisory levy calculations.
Greater flexibility for self-managed super funds
The government has announced a number of proposed reforms to self-managed superannuation funds (SMSFs).
The Minister for Revenue and Financial Services, the Hon Kelly O’Dwyer MP, has indicated that the government will:
- expand the current limit on the number of members in a SMSF, from four to six
- extend the SuperStream regime to allow SMSF members to initiate and receive rollovers electronically between an APRA fund and their SMSF
According to the Minister, the reforms will expand access to SMSFs, reduce compliance costs, expedite the rollover process and further improve the integrity of the super system.
The Minister indicated she has “asked the ATO to work with industry on the design and implementation of this important reform, which is expected to commence late next year.”
Increasing ASIC’s powers and penalties: response to ASIC enforcement review taskforce
The government has announced that it will strengthen criminal and civil penalties for corporate misconduct and boost the powers of ASIC to protect Australian consumers from corporate and financial misconduct. The announcements form part of the government’s response to the report from the ASIC Enforcement Review Taskforce, which has now been publically released.
The government has indicated that the reforms will bring Australia’s penalties into closer alignment with leading international jurisdictions, and ensure our penalties are a credible deterrent to unacceptable misconduct.
Key elements to the reforms include:
- an increase in, and harmonisation of, penalties for the most serious criminal offences under the Corporations Act to a maximum of:
-
- for individuals – 10 years’ imprisonment and/or the larger of $945,000 OR three times the benefits
-
- for corporations – the larger of $9.45 million OR three times benefits OR 10% of annual turnover.
- expansion of the range of contraventions subject to civil penalties, and an increase in the maximum civil penalty amounts that can be imposed by courts, to the maximum of:
-
- the greater of $1.05 million (for individuals, increased from $200,000) and $10.5 million (for corporations, increased from $1 million); or
-
- three times the benefit gained or loss avoided; or
-
- 10 per cent of the annual turnover (for corporations).
- a new power for ASIC to seek additional remedies to strip wrongdoers of profits illegally obtained, or losses avoided from contraventions resulting in civil penalty proceedings.
- an increase in ASIC’s powers, through:
-
- expansion of ASIC’s ability to ban individuals from performing any role in a financial services company where they are found to be unfit, improper, or incompetent
-
- strengthening ASIC’s power to refuse, revoke or cancel financial services and credit licences where the licensee is not fit or proper
-
- boosting ASIC’s tools to investigate and prosecute serious offences by harmonising their search warrant powers to provide them with greater flexibility to use seized materials, and granting ASIC access to telecommunications intercept material.
The proposed reforms follow recommendations made by the ASIC Enforcement Review Taskforce. The Taskforce was established in October 2016 to fulfil the Government’s commitment to review the adequacy of ASIC’s enforcement regime in response to the Murray Financial System Inquiry, and provided its report to government in December 2017. It conducted a number of consultations during 2017 (refer ASFA Action issues 643, 638, 633, 625).
The government has agreed, or agreed in principle, to all 50 of the Taskforce recommendations and will prioritise the implementation of 30 of the recommendations.
The remaining 20 recommendations—relating to self-reporting of breaches, industry codes and ASIC’s directions powers—will be considered alongside the final report of the Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry.
Proposed increase to Medicare levy abandoned
The government has indicated that it will no longer proceed with a planned 0.5 per cent increase in the Medicare levy.
In the May 2017 Budget (see ASFA Action issue 627), the government proposed increasing the Medicare levy from 2.0 to 2.5 per cent, to fund the National Disability Insurance Scheme (NDIS). A package of bills was subsequently introduced into parliament to give effect to the increase, including a number of bills that would have directly and indirectly impacted on the amount of tax to be paid and/or withheld from certain types of superannuation amounts (see ASFA Action issue 641).
On 26 April, the Treasurer, the Hon Scott Morrison MP, announced that the government will no longer proceed with the proposed increase in the Medicare levy. Announcing the decision, the Treasurer said:
“Our economy is now stronger and it is continuing to strengthen under the Turnbull Government’s national economic plan. This has created more and better options.
That is why we are now in a position to give our guarantee to Australians living with a disability and their families and carers that all planned expenditure on the NDIS will be able to be met in this year’s Budget and beyond without any longer having to increase the Medicare levy.
Fiscal details of this decision will be set out in the budget. The decision is also taken without impacting on the government’s plan and timetable to return the budget to balance.”
APRA revises prudential standard SPS 310: Audit and related matters
APRA has finalised a revised and updated version of its prudential standard SPS 310 Audit and Related Matters, modifying an audit requirement in relation to compliance by a registrable superannuation entity (RSE) licensee with its operational risk financial requirement (ORFR) strategy.
SPS 310 was introduced in 2013 as part of a package of new prudential standards applying to RSE licensees, supporting the Stronger Super reforms. One key aspect of SPS 310 allows APRA to approve a form (the approved form) for the auditor’s report, and requires the auditor’s report to be in the approved form.
Paragraph 19(b)(iv) of SPS 310 initially required auditors to provide, via the auditor’s report, limited assurance addressing the RSE licensee’s compliance with its ORFR strategy. This limited assurance requirement was intended to ensure adequate review of the ORFR target amount and tolerance limit, how the financial resources will be used, the replenishment plan, and review and monitoring processes in relation to the ORFR. However, the audit profession advised APRA that:
- there is no additional testing that the external auditor can effectively and efficiently undertake as part of the year-end audit, therefore a limited assurance review requirement adds little value
- any other testing of this requirement would be considered to be an internal audit function rather than a function of the RSE auditor.
Auditors are already required to provide reasonable assurance on RSE licensee compliance with relevant Acts and regulations, including the requirement to maintain ORFR reserves at the required target amount, and the annual reporting forms that relate to these requirements. Auditors also provide limited assurance on the systems, procedures and internal controls designed to ensure that the RSE licensee has complied with all applicable prudential requirements.
As a result of these considerations, APRA has decided to remove both the limited assurance review requirement in paragraph 19(b)(iv) of SPS 310 and the equivalent provision in the approved form of the audit report (which must comply with SPS 310).
This amendment is likely to reduce compliance burden for superannuation auditors without affecting the prudential effectiveness of ORFR strategies. APRA indicates that minor consequential amendments have also been made to SPS 310 as a result of this change.
The updated version of SPS 310 commenced on 1 May. APRA has also written to RSE licensees to outline the amendments to SPS 310.
Cyber risk and operational due diligence: APRA insight
APRA has issued its first Insight publication for 2018, with feature articles on combating cyber risk and the need for investment managers in superannuation to have robust operational due diligence (ODD) practices.
On cyber risk, APRA notes that it is proposing to introduce a new prudential standard for information security management. Consultation on an updated version of CPS 234 is underway (see separate item in this issue of ASFA Action and issue 663 for background), with a view to the new standard commencing from 1 July 2019. The Insight article makes the following key points:
- No matter how strong security measures are, APRA recommends entities adopt an ‘assumed breach position’ – in essence, assuming that at some point their information security defences will be penetrated. This will encourage the development of robust incident management practices that help ensure any incident is detected swiftly and dealt with effectively
- Cyber-crime is no longer an emerging risk – it has emerged, and is evolving at an accelerating rate. Although unlikely, it is now possible to envisage a scenario where a regulated entity is so badly damaged by a cyber-attack that it is forced out of business. The growing scale and sophistication of cyber criminals means a material breach is “probably inevitable”
- While information security is generally well-handled by regulated-entities, there are several areas that require greater attention. These include assurance over service providers’ cyber capabilities, basic cyber hygiene, and preparing to respond and recover once an incident has occurred
- The findings of APRA’s 2015 and 2017 cyber security surveys indicate the maturity of regulated entities’ ability to respond to and recover from cyber security incidents varies. Many respondents had not tested their ability to respond to and recover from cyber security incidents during the previous year, and response plans sometimes lacked integration with business continuity and disaster recovery plans. By introducing CPS 234, APRA will be requiring that incident response plans be fully tested and integrated.
In relation to ODD, APRA indicates it has been reviewing industry practices for investment managers in superannuation, as the quality of ODD provides insights into the risk culture and overall approach to risk management of the investment manager. APRA has observed a range of industry practices in relation to operational due diligence – some larger RSE licensees have their own dedicated resources to determine requirements and perform ODD appropriate to their circumstances, while others may have given the discipline little thought.
The Insight article discusses the two main models by which an external consultant is engaged to conduct operational due diligence:
- the ‘owner-led’ model, under which consultants are engaged directly by the RSE licensee to conduct ODD on the investment manager
- the ‘manager-led’ model, under which consultants are engaged by the investment manager to produce an operational due diligence report which the investment manager is then able to provide as needed to RSE licensees considering using the manager.
APRA notes the increased focus on ODD in the superannuation sector over the past 12 months, with greater recognition of the benefits of undertaking ODD, beyond it being seen as largely a compliance exercise. There has also been ongoing industry dialogue regarding the respective benefits of the owner-led and manager-led models. APRA’s interactions with industry suggest there is broad agreement on the overarching benefit to the industry as a whole of enabling as many RSE licensees as possible (regardless of their scale and internal resource levels) to have access to robust operational due diligence information, irrespective of the review model adopted.
ASFA REGULATORY WATCHLIST
ASFA’s Regulatory Watchlist (ARW) tracks developments in Legislation, inquiries, consultations
and other regulatory announcements relevant to superannuation.