Australian Regulatory Trends 2019

Regulatory trends 2019

Building resilience to a changing regulatory landscape






Corporate regulation

Risk and compliance




Financial services regulation

Privacy and data protection

Occupational health and safety




Environmental regulation

Trade and transport



Key contacts




the Banking, Superannuation and Financial Services Industry this edition includes a special feature on the regulation of financial services industries.Alsoprofiledare anumber of developments affecting the regulation of international trade and transport, including the emerging drone regulatory regime. Clyde & Co is committed to ensuring that our clients are in the best position possible to respond to any regulatory issues that do arise. The consequences of failing to prepare include civil and criminal penalties, reputational damage and in the most extreme cases, loss of authority to operate a business. Our regulatory and investigations team focus on these issues and are able to help organisations build resilience through practical advice that deals with these complex regulatory challenges.

The fast pace of regulatory change in Australia continues in 2019. This report sets out a summary of the key regulatory trends that are confronting our clients across our key sectors of insurance, energy, trade, transport and infrastructure. By international standards, Australia is one of the most regulated economies in the world. This year’s publication is designed to provide you with an overview of the most pressing regulatory issues that businesses operating in Australia need to be aware of, and to provide practical advice as to what businesses should be doing to manage these issues. Given the release of the Final Report of the Royal Commission into Misconduct in


Corporate regulation

Dean Carrigan Partner T +61 2 9210 4401 E Avryl Lattin Partner T +61 2 9210 4425 E


Corporate Regulation


To deter future misconduct, the Penalties Act has increased civil and criminal penalties for breaches of the Australian Securities and Investments Commission ( ASIC ) administered legislation including the Corporations Act 2001 (Cth) ( Corporations Act ), Australian Securities and Investments Commission Act 2001 (Cth), National Consumer Protection Act 2009 (Cth) and the Insurance Contracts Act 1984 (Cth) ( Insurance Contracts Act ). The Penalties Act increases financial penalties and terms of imprisonment. Those involved in corporate misconduct face a greater risk of increased financial exposure for such wrongdoing. Civil penalties increased up to a cap of AUD 525 million for corporations. Criminal penalties are further set out in the Corporate Crime Regulatory Update (see page 20). Breaches of general Australian Financial Service Licence ( AFSL ) obligations by a company under section 912A of the Corporations Act will now attract a financial penalty. Under the Penalties Act the penalty will be the greater of: –– AUD 10.5 million; –– three times the value of the benefit derived from the contravention; and –– 10% of the company’s annual turnover, capped at AUD 525 million. The Courts have also been provided with greater discretion toprovide compensation to victims and a relinquishment regime has been introduced to ensure any financial benefit gained as a result of the misconduct is disgorged.


–– Tougher penalty framework –– Revised ASX Governance Principles –– Climate change disclosure


From 13 March 2019, companies that engage in corporate misconduct are now exposed to significantly increased financial penalties. The Treasury Laws Amendment (Strengthening Corporate and Financial Sector Penalties) Act 2019 (Cth) ( Penalties Act ) received Royal Assent on 12 March 2019. The Penalties Act is designed to deal with the long-held concern that penalties for breaches of corporations law are insufficient to deter misconduct. This issue was squarely raised in the Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry ( the Financial Services Royal Commission ).




Therehavebeenanumber of developments in recent years which have put pressure on companies to consider climate change risks and make appropriate disclosures in their annual reports. Australian shareholders have been taking a more active approach to pushing for disclosure of climate change risk by Australian listed companies by proposing shareholder resolutions on the topic at Annual General Meetings and have gone as far as launching legal proceedings against companies for failure to adequately disclose climate change risk in Annual Reports. In 2018, ASIC publicly stated that its key priorities in relation to climate change risks are corporate governance and disclosure, with ASIC Commissioner John Price highlighting that corporate governance practices for managing risks and opportunities should apply to climate change risks in a similar manner as these practices already apply to compliance risks, cyber security or digital disruption. The voluntary disclosure framework developed by the Taskforce on Climate- Related Financial Disclosures ( TFCD ) in June 2017 may help companies in considering how to disclose climate change related risks in a way which will take into account the general information needs of investors outside of the strict legal requirements for disclosure.

The ASX Corporate Governance Council ( the Council ) released the fourth edition of its Corporate Governance Principles and Recommendations on 27 February 2019. In the revised principles, there is a significant focus on organisational culture and a number of new board responsibilities are designed to focus on corporate culture and governance. Principle 3 has been substantially revised to require that a listed entity “…continually reinforce a culture across the organisation of acting lawfully, ethically and responsibly”. In terms of new policies, the recommendations suggest that every listed entity should have a whistleblower policy and an anti-bribery and corruption policy. There is also a focus on risk management in the revised principles. This includes ensuring that the company has risk strategies to deal with contemporary and emerging risks such as conduct risk, digital disruption, cyber-security, privacy, data protection, climate change and sustainability. Under Rule 4.10.3 of the ASX Listing Rules, ASX listed entities are required to include in their disclosures a benchmark of their corporate governance practices against the Council’s recommendations. If an entity’s practices do not conform, then, in accordance with the “if not, why not” approach, they must disclose that fact and specify the reasons for the departure.

Corporate Regulation


Although at this stage, no changes will be introduced to the existing disclosure regime in Australia to incorporate the TFCD disclosure framework, ASIC has signalled that it will be closely monitoring developments on disclosure in this area, following a number of Australian listed companies announcing an intention to report, or commence reporting over time, under the TCFD framework. In August 2019, ASIC updated its guidance on climate change related disclosure. The new guidance elaborates on how climate change risks should be incorporated into corporate documents. Importantly, the potential exposure of directors is specifically addressed and highlights that statements must be based on best available evidence at the time, have a reasonable basis and be updated if events overtake the relevant statement.

It is clear from the recent regulatory developments in corporations law that the central theme for the year for both ASIC and the ASX is ensuring good corporate culture across Australian companies. The introduction of tougher penalties will assist ASIC in its pursuit of corporate misconduct arising from poor corporate governance practices. Businesses should undertake reviews of their existing corporate governance policies, procedures and frameworks to ensure that all of their corporate law obligations are met, including in emerging areas such as climate change risks disclosure. Corporate culture will continue to be a focus by regulators and it will be increasingly important for businesses to have data and analytics to support and demonstrate the effective implementation of policies and processes. Compliance frameworks must be adapted to reflect this shift and executives must lead culture revision from the top.



In 2018, the ACCC prosecuted its first “gun jumping case’ against Cryosite Limited and Cell Care Australia Pty Ltd and the judgment was handed down by the Federal Court on 13 February 2019. The ACCC alleged that the two companies engaged in cartel behaviour by coordinating their business activities prior to completion of a merger approval and while they were still independent competitors. The Federal Court held that Cryosite engaged in cartel conduct by agreeing to refer all customer enquiries to Cell Care as part of a merger agreement and noted: “Market sharing, including when it is undertaken in the context of a proposed or anticipated sale of business, is cartel conduct. And cartel conduct of its nature causes serious harm to consumers, other businesses and the economy.” The ACCC also continues to seek significant penalties for cartel conduct. In 2018, following an appeal of the initial penalty by the ACCC, the Full Federal Court of Australia imposed a $46 million penalty on Yazaki Corporation. In August 2019, K-Line was convicted and fined $34.5 million. This is the largest ever criminal fine imposed under the Competition and Consumer Act 2010 (Cth) ( CCA ).


–– Cartel action –– Misuse of market power –– Digital platforms


Collusive behaviour continues to be a major target for enforcement action in the area of competition law. It is anticipated that the Australian Competition and Consumer Commission ( ACCC ) will conclude and prosecute two to three cartel cases per year. In recent years, the ACCC has pursued action against criminal cartel behaviour in the following sectors: –– the shipping industry (K-Line); and –– the Construction, Forestry, Maritime, Mining and Energy Union and its ACT Divisional Branch Secretary. The ACCC has also demonstrated its willingness to prosecute individuals and executives found guilty of a criminal cartel offence could face a prison sentence of up to 10-years. –– the banking industry (ANZ, Deutsche Bank, Citigroup, and various senior executives);

Corporate Regulation


The ACCC proposed that designated digital platforms should each separately be required to provide a code of conduct to the Australian Communications and Media Authority ( ACMA ) to govern their commercial relationships with news media businesses, which is aimed at addressing the imbalance in the bargaining relationship between these organisations. The ACMA would closely consult with the ACCC in performing its role under this recommendation, and it is proposed that breaches of the code would be dealt with by the ACMA, which would be vested with appropriate investigative and information gathering powers and the capacity to impose sufficiently large sanctions for breaches to act as an effective deterrent. TheACCCalso recommended that changes be made to the Privacy Act 1988 (Cth) to allow consumers to make more informed decisions about the use and collection of their personal information, including the strengthening of consent requirements. It is also proposed that the Office of the Australian Information Commissioner engage with digital platforms to develop an enforceable code of practice. The ACCC noted that in March 2019, the Government announced the creation of a legislated code to apply to social media and online platforms which trade in information and the ACCC’s recommendation could align with and be taken into account in the Government’s consideration of the substance and reach of that code.

There is an expectation that following the introduction of new competition laws at the end of 2017, the ACCC may look to test the new misuse of market power prohibition in 2019. Under the previous market power provisions, it was necessary to demonstrate that a business was misusing its market power for the “purpose of substantially lessening competition”. The new test in section 46 of the Competition and Consumer Act 2010 (Cth) is broader and it is now sufficient to demonstrate that conduct taken by a business has the “purpose, effect or likely effect of substantially lessening competition”. Any company that has substantial market power in a particular market should carefully consider whether its practices might result in a substantially lessening of competition. Such a result may arise even where the intention of the conduct is to create greater competition. In 2018, the ACCC released an update of its Guidelines on misuse of market power. The ACCC has undertaken the world’s first review of the role of digital platforms in the economy. The ACCC’s final Digital Platforms Report was released in July 2019 and considered the impact of digital search engines, social media platforms and digital content aggregation platforms on media and advertising, with a large focus on Google and Facebook. DIGITAL PLATFORMS




Although there is no legal requirement to notify the ACCC of a merger, many companies still seek to confirm that the ACCC will not oppose a merger through the informal merger review process. The decisionby theACCC inMay 2019 to oppose the merger of TPG Telecom Limited and Vodafone Hutchinson Australia Pty Ltd on the basis that it would result in reduced competition and contestability, has put the ACCC’s approach to competition under close scrutiny. The parties involved are seeking review of this decision in the Federal Court of Australia. The decision appears to reflect an increasing focus by the ACCC on excessive consolidation in particular industries. There is a particular concern by the ACCC that acquisition of new entrants, who have the longer term potential to enhance competition in a sector may have far- reaching consequences.

In light of the active approach being taken by the ACCC to enforcement action for cartel behaviour and the potential for the ACCC to test the new misuse of market power provisions, business leaders should consider enhancements to their existing corporate capability for addressing and responding to competition law issues or face the risk of being prosecuted. The emergence of digital platforms and the presence of disrupters in almost every sector is already affecting the ACCC’s approach to regulation. Companies that are looking to operate in the digital space, or incumbents that are looking to acquire new players, need to be mindful of this shift in attitude in making business decisions.

Corporate Regulation



Companies and directors should be aware of the increase in penalties for contraventions of the ACL that came into force in September 2018. The CAANZ Final Report concluded that the existing penalties for corporations and individuals were insufficient to deter non-compliant conduct. CAANZ found that some companies viewed penalties as a cost of doing business as opposed to a deterrent to contravening the ACL and therefore proposed that the penalties should be increased to match those in the CCA. The Treasury Laws Amendment (2018 Measures No.3) Act (Cth) ( TLA ) was passed by Parliament in August 2018 and significantly increased the penalties for breaches of the ACL. With the introduction of the TLA, an individual can now be fined up to AUD 500,000 for each contravention of a number of restrictive trade practices and the fine for breach by a corporation has increased to the greater of: –– AUD 10 million; –– three times the value of the benefit received; or –– if a benefit cannot be determined, 10% of the business turnover in the preceding 12 months.


–– ACL reform –– Increased penalties for ACL breaches –– Unfair contract terms in insurance contracts


The Treasury Laws Amendment (Australian Consumer Law Review) Act 2018 ( the ACL Review Act ) came into force in October 2018. The ACL Review Act amended the Australian Securities and Investments Commission Act 2001 (Cth) ( the ASIC Act ), Competition and Consumer Act 2010 (Cth) ( the CCA ), and the ACL, set out in Schedule 2 of the CCA. Key amendments included: –– extending the prohibition against unconscionable conduct in the ACL to also protect public companies; –– improvements in price transparency for certain ‘optional extras’; and –– expanding the definition of financial services in the ASIC Act to include financial products.




In Australian Competition and Consumer Commission v We Buy Houses Pty Ltd (No 2) [2018] FCA 1748, the Federal Court of Australia imposed the highest ACL penalty to date against We Buy Houses (AUD 12 million) and its sole director Mr Otton (AUD 6 million) for making false or misleading representations. We Buy Houses and Mr Otton were found to have targeted disadvantaged and vulnerable consumers who hoped to enter the housing market or invest money in real estate. Free seminars, paid ‘boot camps’, and mentoring programs advised consumers that they would be able to buy a house for AUD 1 without a deposit, quit their jobs, and start making profits immediately. Between 2011 and 2014, We Buy Houses had generated significant revenue from these training programs. The focus on enforcement of the ACL by the ACCC will no doubt result in greater consumer awareness of this legislative framework. Consumers are asserting their rights with reference to the ACL more frequently and are gaining a greater awareness of circumstances when they may be able to claim a replacement, refund or consequential damages.

Currently, section 15 of the Insurance Contracts Act 1984 (Cth) provides an exemption from the unfair contract terms ( UCT ) regime in the ACL and the ASIC Act for insurance contracts. However, both the 2017 Australian Consumer Law Review and the 2018 Parliamentary Inquiry into Life Insurance found that this exemption was inconsistent with the intention of the UCT regime and consumer law. The Government released a proposal paper in June 2018 that recommended that the UCT regime be extended to insurance contracts. The Financial Services Royal Commission also recommended that this change be introduced. The extension would void unfair terms in standard form insurance contracts with consumers and small businesses. Unfair terms include those which create a significant imbalance in the parties’ rights which are not reasonably necessary to protect the interests of the advantaged party and would cause detriment or disadvantage to the other party. Under the exposure draft legislation, exemptions are provided under: –– define the main subject matter of the contract; –– relate to the upfront price payable under the contract; and/or –– are required or permitted under law.

Corporate Regulation


Recognising the unique features of insurance contracts, the government proposes to tailor the regime for insurance contracts as follows: –– the main subject matter exemption will extend narrowly to those terms that describe what is being insured under the policy; –– the upfront price payable exemption will cover terms related to the premium and excess payable under the policy; –– policies which provide the insured with options of cover will be considered Terms that focus on limits on liability and premium payment terms, may not be exempt from the UCT regime. Once the reforms are implemented, insurers will need to give close consideration to the policy terms that they are including in standard form contracts with consumers and small businesses. Particular areas of risk include excess payments, exclusions and defined terms that have uncommon meanings and there is likely to be an increased requirement to justify such provisions through actuarial data. standard form contracts; and –– terms which do not reflect the underwriting risk accepted by the insurer will be exposed to the UCT regime.

Businesses who deliver goods or services to consumers or small businesses must ensure they understand the growing importance of the ACL in the consumer law space. The review of the ACL in 2017 has already triggered a toughening of the ACL regime and the associated penalties. We expect the ACCC’s focus on the use of the ACL to continue and where appropriate, they will look to raise the profile of the ACL by running high profile cases. Following the Financial Services Royal Commission there is also a significant push to improve the legal protections for retail customers in the financial services space and the removal of various existing exceptions for insurers under the unfair contract terms regime is one such example. These initiatives will no doubt result in greater awareness amongst consumers as to their legal rights. Businesses must be cautious to avoid misrepresenting the scope and application of the ACL as this act in itself can also result in significant penalties.



Risk and compliance


Avryl Lattin Partner T +61 2 9210 4425 E

Jonathan Wyatt Partner T +61 8 6145 1785 E Janette McLennan Partner T +61 2 9210 4456 E

Risk and compliance


Disclosure will now be able to be made to a wider range of persons including: –– designated eligible recipients (including officers, senior managers and various regulators); –– a legal practitioner, for the purposes of seeking legal advice; and –– in defined circumstances, to members of parliament of the Commonwealth or a State or Territory and/or to journalists. Under existing corporate whistleblower regime, there is a requirement that a whistleblower acts in “good faith”. In the Whistleblower Act, no such requirement exists and therefore the motives of a whistleblower cannot be taken into account in determining whether a disclosure qualifies for protection. Further, whistleblowers who make disclosures will be entitled to anonymity. Whistleblowers will have increased access to compensation where they have been victimised or where their identity is revealed. Such compensation will be payable by both individuals involved in the victimisation or identity disclosure, and bodies corporate.


The TreasuryLawsAmendment(Whistleblowers) Act 2019 (Cth) ( Whistleblower Act ) passed both houses of Parliament on 19 February 2019 and received Royal Assent on 12 March 2019. The new whistleblower regime entered into force on 1 July 2019. The Whistleblower Act creates a single whistleblower protection regime within the Corporations Act 2001 (Cth) ( Corporations Act ) which covers the corporate, financial, and credit sectors. The existing whistleblower provisions across a range of different legislation have been consolidated, and offences under a number of different laws are deemed to be conduct which could be subject to disclosure under the new regime. The definition of eligible whistleblowers who will be protected has been significantly extended to include both current and former officers, employees and suppliers, associates of such persons, and relatives of such persons.



The Whistleblower Act as passed reflects a number of changes introduced by the Senate including: –– a disclosure will not be protected for a personal work-related grievance; –– low level supervisors and managers are excluded from the class of persons to whom a disclosure can be made; –– whistleblowers have the ability to make a claim for compensation against a company if the company allows a third party to victimise the whistleblower;

Public companies and large proprietary companies (as defined in the Corporations Act) will need to put in place a whistleblower policy by 1 January 2020. Australian public and large proprietary Companies will need to review their company’s existing whistleblowing policies and programs to ensure they address the key features required under the incoming whistleblower legislation. The policy should be easily accessible to all staff and the program should be regularly communicated to ensure continued staff awareness. Mandatory training is recommended for all staff on a regular basis, and key staff who are responsible for the core elements of the program should be nominated. Even if a company is not required to put in place a whistleblower policy, it is important to recognise that all whistleblowers must still be treated in accordance with the requirements of the new regime. The protection of whistleblowers is paramount, and we recommend that any report that may qualify as a whistleblower report is treated with appropriate sensitivity within your organisation.

–– due diligence was removed as a complete defence to certain compensation orders (but it is one factor that Courts can consider); –– introduction of a six-month period following commencement for companies to comply with

the requirement to have a whistleblower policy; and

–– an increase in penalties in line with the Treasury Laws Amendment (Strengthening Corporate and Financial Sector Penalties) Act 2019 (Cth). Civil and criminal penalties will apply to those persons involved in victimisation, or threatened victimisation, of a whistleblower and persons who breach the requirement to protect the identity of a whistleblower.

Risk and compliance


In preparing an annual Modern Slavery Statement, reporting entities must include information on: –– the reporting entity’s structure, operations and supply chains; –– the modern slavery risks within its operations and supply chains; –– the actions taken to assess, address,


On 29 November 2018, the Modern Slavery Act 2018 (Cth) ( the Modern Slavery Act ) passed both houses of Parliament and received Royal Assent on 10 December 2018. The legislation entered into force on 1 January 2019. The Modern Slavery Act requires all Australian entities, or entities carrying on business in Australia, with consolidated revenue of at least AUD 100 million in a given financial year, to prepare an annual Modern Slavery Statement and file it with the Government. There is provision for related entities to prepare a joint modern slavery statement. Entities with turnovers of less than AUD 100 million may prepare a statement voluntarily. In order to prepare an annual statement dealing with risks of modern slavery, companies will need to give consideration to the jurisdictions in which they operate, whether they are in a high risk industry sector and particular points of vulnerability in their supply chains.

and remediate modern slavery risks, including due diligence and remediation processes; and –– how such actions will be assessed for effectiveness.

Reporting entities will be required to prepare an annual statement. This statement must be prepared within six months of the end of each financial year or accounting period. A Modern Slavery Statements Register will be established by the Minister for Home Affairs, which will be available for public inspection on the Department of Home Affairs’ website. The Minister for Home Affairs will have the power to request a written explanation if an entity fails to submit an annual Modern Slavery Statement and, if such a request has been made, may publish information on the Modern Slavery Register identifying the entity and its failure to provide a Modern Slavery Statement.




Similar legislation was passed by the New South Wales State Government in June 2018 which requires organisations with employees in NSW that supply goods and serviceswithanannual turnover of at least AUD 50 million to prepare a statement. The NSW legislation also establishes an Anti-Slavery Commissioner. The NSW legislation also establishes an Anti-Slavery Commissioner and imposes financial penalties (up to AUD 1.1 million) for non-compliance. The NSW legislation has not yet entered into force and concerns have been raised about the scope of the legislation, and its interaction with the Commonwealth legislation from a constitutional perspective. The legislation has been referred to the Legislative Council Standing Committee on Social Issues for inquiry and report. It is uncertainwhether theNSWlegislation will proceed. If it does proceed, those companies who have issued an annual statement under the Commonwealth legislation will not be required issue a further statement.

From 2019, compliance teams will need to devote resources to developing policies and procedures to facilitate: –– the identification and reporting of modern slavery risks and practices; –– the development of measures to address and remediate those risks; –– the assessment of the effectiveness of those practices; and –– the preparation of Modern Slavery Statements. The public access to statements may expose businesses to reputational and financial pressures from shareholders, non-government organisations, and customers where modern slavery risks are identified. The critical first step is to undertake a risk mapping exercise to determine the potential exposure to the risk of modern slavery that your business faces, taking into account the nature of its supply chain. There are a range of due diligence measures that can be taken to address such risks including contractual obligations, audits processes, introduction of improved policies and procedures and training.

Risk and compliance



In April 2019, the Federal Government commissioned the Australian Law Reform Commission to review Australia’s corporate criminal liability regime under part 2.5 of the Commonwealth Criminal Code. The ALRC will be specifically looking at the role of corporate culture under section 12.3 of the Commonwealth Criminal Code, which allows a court to find a fault element of a crime committed by a corporation. This can be in circumstances where corporations who have a culture of directing, encouraging or tolerating non- compliance with the relevant provision, or a culture which leads to non-compliance. Alternatively, the circumstances may involve a corporation failing to create or maintain a corporate culture of compliance with the relevant provision, which may mean that the corporation is found to be at fault. This is a great concern for directors and officers who could be found criminally liable for the criminal offences committed by their companies whether or not they had knowing involvement. The report is due to be finalised by 30 April 2020.


In November 2018, the Federal Treasurer announced the Government’s intention to create a criminal jurisdiction in the Federal Court, which was further confirmed in the Government Response to the Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry ( Financial Services Royal Commission ). These announcements follow the large number of criminal prosecutions recommended by Counsel Assisting the Royal Commission. The creation of a Federal Court Criminal Division is designed to redirect corporate crime prosecutions from heavily burdened state courts. With greater resourcing, the Government expects regulators to increase their prosecution of corporate misconduct, including the type of misconduct identified during the Financial Services Royal Commission.




Following the release of the Final Report of the Financial Services Royal Commission, ASIC has announced a new Office of Enforcement. The Office of Enforcement is responsible for carrying out ASIC’s key enforcement activities. The enforcement function is now separate from ASIC’s regulatory teams. After ASIC was heavily criticised in the Final Report for not commencing litigation against wrongdoers as often as necessary to deter such conduct, the approach of the Office of Enforcement is stated to be “Why Not Litigate?”. Thirteen matters were referred to ASIC by the Financial Services Royal Commission for prosecution and these are being managed by the Office of Enforcement. The Office is also investigating a number of other matters. There is an expectation that with the new focus on enforcement and the introduction of increased penalties for breaches of general obligations by financial services licence holders, there will be a significant increase in the volume of litigation against corporate Australia. There had already been an uptick in criminal cases brought against individuals and corporations and this is certainly a trend that is likely to continue.

Business leaders should stay alert to changes in this space as the Government has signalled it intends to enhance the legislation in this area to facilitate prosecutions of corporate offences. It is anticipated that the Commonwealth Director of Public Prosecutions will use this additional regulatory firepower to pursue enforcement outcomes. Business leaders should review the corporate culture and compliance policies and frameworks of their business. ASIC also has a clear mandate to pursue corporate criminal conduct through its Office of Enforcement. Businesses need to be mindful of the significant penalties that now apply to a range of corporations law offences and that the community expectation is that wrongdoers will be punished, both at the corporate and individual levels. The risk of prosecution reinforces the importance of managing legal and regulatory risk within an organisation and ensuring that any wrongdoing is detected early and where necessary, that appropriate reporting and remediation is undertaken.


Financial services regulation

Avryl Lattin Partner T +61 2 9210 4425 E


Dean Carrigan Partner T +61 2 9210 4401 E Janette McLennan Partner T +61 2 9210 4456 E

Financial services regulation


–– Australian Prudential Regulation Authority ( APRA ) released its report on its own enforcement strategy review on 29 March 2019. The enforcement strategy review examined APRA’s approach to prospective use of its enforcement powers to achieve its prudential objective of ensuring financial promises made by its supervised institutions are met within a stable, efficient, and competitive financial system; –– significant funding increases for the Australian Securities and Investments Commission ( ASIC ) (over AUD 400 million), APRA (over AUD 150 million), the Commonwealth Department of Public Prosecutions (AUD 51.5 million) and the Federal Court of Australia (AUD 35 million); –– a new supervisory approach that involves embedding ASIC officers in major financial institutions and a new office of Enforcement; and –– the Australian Government has announced the establishment of a Committee of Regulatory Enforcement Strategy, to be chaired by the Attorney- General’s Department. An implementation roadmap has also been announced which will see all the Financial Services Royal Commission recommendations requiring legislation introduced by the end of 2020.

On 1 February 2019, the Financial Services Royal Commission Final Report ( Final Report ) was issued by Commissioner Hayne to the Australian Government. The Final Report, and legislative developments over the past 12 months, point clearly to a more robust enforcement environment for corporates in the financial services industry going forward. TheAustralianGovernmentandregulators have already started to respond to issues identified in the Financial Services Royal Commission through a range of initiatives that have been announced and further reform is anticipated given the focus areas signalled by each of the regulators in this space. Over the past 12 months there have been a number of regulatory initiatives announced by the Australian Government and regulators including:



Ending grandfathered commissions for financial advisers

Recommendation 2.4

Removing the exemptions for funeral expenses policies

Recommendation 4.2

Legislation to be consulted on and introduced by end-2019

Application of unfair contract terms provisions to insurance contracts

Recommendation 4.7

Removal of claims handling exemption for insurance

Recommendation 4.8

Recommendation 4.1

No hawking of insurance products

Recommendation 4.3

Deferred sales model for add-on insurance

Cap on commissions paid to vehicle deal- ers for sale of add-on insurance products

Recommendation 4.4

Legislation to be consulted on and introduced by 30 June 2020

Duty to take reasonable care not to make a misrepresentation to an insurer

Recommendation 4.5

Limiting circumstances where insurers can avoid life insurance contracts

Recommendation 4.6

Restricting use of the term ‘insurer’ and ‘insurance’

Recommendation 4.2

Legislation to be consulted on and introduced by end-2020

Extending the BEAR to APRA-regulated insurers

Recommendation 4.12

Financial services regulation


The term “regulated persons” is defined to include: –– the issuer of a financial product; –– any person required to hold a financial services licence (or who is exempt from holding such a licence by a specified provision); –– any authorised representative of such a licensee; and –– sellers of financial products where the sale requires a disclosure document or Product Disclosure Statement ( PDS ). The amendments are aimed at ensuring that financial products are targeted at an appropriate audience. Under the new legislation, the person who is responsible for preparing the disclosure document for the product (i.e. the product issuer) will now be required to: –– make a “target market determination” for a product; –– keep the target market determinations under review; –– keep records about decisions regarding target market determinations; and –– notify ASIC of significant dealings inconsistent with target market determination. PRODUCT DESIGN OBLIGATIONS ON ISSUERS

The Treasury Laws Amendment (Design and DistributionObligations and Product Intervention Powers) Act 2019 (Cth) ( Product Design and Distribution Act ) received Royal Assent. The Product Design and Distribution Act amends the Corporations Act 2001 (Cth) ( Corporations Act ) to insert a new Part 7.8A – Design and distribution requirements relating to financial products for retail clients and a new Part 7.9A – Product intervention orders. The National Consumer Credit Protection Act 2009 (Cth) ( the Credit Act ) was also amended.


Under the Product Design and Distribution Act, design and distribution obligations will be imposed on “regulated persons” for certain products which have disclosure requirements under the Corporations Act within the Australian Securities and Investments Commission Act 2001 (Cth) ( ASIC Act ).




New distribution obligations will also be imposed on the person responsible for making offers, or giving advice or disclosure documents to potential investors (i.e. product distributors). A product distributor will be prohibited from engaging in retail product distributionconductunlessatargetmarket determination has beenmade, or engaging in retail product distribution conduct where a target market determination may no longer be appropriate. In addition, the product distributor will be under an obligation to: –– take reasonable steps to ensure that retail product distribution conduct is consistent with the target market determination; –– collect and provide information specified by the product issuer and complaints related to the distribution of a product; and –– notify the product issuer of significant dealings inconsistent with the target market determination. What is reasonable will depend on the scale of harm of the product if wrongly distributed, as well as the probability of it being wrongly distributed.

The new product intervention powers under the Product Design and Distribution Bill permits the Australian Securities and Investments Commission ( ASIC ) to proactively intervene to reduce harm to consumers before a breach occurs. This may include regulating or banning potentially harmful financial and credit products where there is a risk of significant detriment to retail clients. Where a product is determined by ASIC to cause significant detriment to consumers, ASIC will be able to issue a stop order and take other action that it considers appropriate. Factors which will be relevant to ASIC’s determination as to whether consumer detriment is “significant” for the purposes of this new power include: the nature and extent of the detriment (including any actual or potential financial loss to retail clients), and the impact of the detriment on retail clients. ASICwill be required to satisfy consultation and notification obligations before an intervention order is made.

Financial services regulation



Contravention of the obligation under the proposed regime will include both civil penalties and criminal offences. There will be maximum criminal penalties of up to AUD 42,000 or imprisonment for 5 years or both. Following the commencement of the Treasury Laws Amendment (Strengthening Corporate and Financial Sector Penalties) Act 2019 (Cth), maximum civil penalties of AUD 1.05 million or three times the benefit derived and detriment avoided because of the contravention for an individual andfor a corporation, the greater of (based on current value of AUD 210 per penalty unit): –– AUD 10.5 million; –– three times the value of the benefit derived from the contravention; and –– 10% of the company’s annual turnover, capped at AUD 525 million. In addition, it is proposed that a person who suffers loss or damage because of contravention of the obligations under the Product Design and Distribution Bill (including where an entity fails to make a target market determination) may be able to recover that loss by civil action.

The product design and distribution obligations will take effect in April 2021, following a two year transitional period. During the transitional period, financial product issuers and distributors will have to review their current product design, distribution frameworks, and product target markets in light of the proposed obligations. There are no grandfathering provisions for existing products so consideration of the appropriate target market will also be required for products that are already on the market. Existing product disclosure obligations will continue in force so insurers and insurance distributors will need to comply with multiple sets of consumer protection obligations in dealing with retail insurance products going forward.



Privacy and data protection

Matthew Pokarier Partner T +61 7 3234 3001 E John Moran Partner T +61 2 9210 4974 E


Darryl Smith Partner T +61 3 8600 7212 E

Privacy and data protection


The OAIC has released its 12-month Insights Report into the frequency, targets and common failings of data breaches since the NDB was introduced. In summary, between 1 April 2018 and 31 March 2019: –– over 964 notifications were made to the OAIC, including more than 100 breaches of more than 1,000 people and 10 affecting more than 100,000 people; –– there has been a 712% increase in notifications since the introduction of the NDB Scheme; –– contact and financial details were the most commonly affected information; –– health services providers are the top reporting sector, followed by finance, and then legal, accounting, and management services; and –– malicious cyberattacks and human error are the two most commonly attributed sources of data breaches (making up 95% of all reported data breaches), with phishing attempts compromising credentials the most successful tactic employed by malicious third parties. Despite the substantial data collected and published by the OAIC since the NDB Scheme commenced, no enforcement action has yet been taken against any Australian businesses for failing to comply with the NDB Scheme.

–– Notifiable Data Breaches –– Consumer Data Right

–– Higher penalties –– Data surveillance


The Notifiable Data Breach ( NDB ) Scheme came into effect in February 2018. In circumstances where an organisation identifies unauthorised access to, disclosure of, or loss of personal informationthat is likely toresult inserious harm to an individual, this is deemed an ‘eligible data breach’ under the Privacy Act 1988 (Cth) ( Privacy Act ). Eligible data breaches must be notified to the Office of the Australian Information Commissioner ( OAIC ) and affected individuals. Failure to notify an eligible data breach may result in fines of up to AUD 2.1million. As a result, entities with annual turnover of AUD 3 million or more (which is the threshold for the NDB Scheme) have been required to meet higher compliance obligations in the past 12 - 18 months while still combating the rise in evolving cyber threats.




InMarch 2019, the Australian Government announced amendments to the Privacy Act including a suite of increased penalties. The amendments will: –– increase the maximum penalty of AUD 2.1 million for serious or repeated breaches to AUD 10 million, or 3x times the value of any benefit obtained through misuse of information, or 10% of a company’s annual domestic turnover, whichever is the greater; and –– provide the OAIC with new infringement notice powers for failure to cooperate with efforts to resolve minor breaches, including new penalties of up to AUD 63,000 for bodies corporate and AUD 12,600 for individuals. If introduced, these changes will apply to any organisation or government agency subject to the Privacy Act, including those operating within, and also potentially outside of, Australia. These changes are being backed by an AUD 25 million increase to the OAIC’s funding over the next 3 years. The potential for increased financial penalties (and a new willingness of the OAIC to publicise breaches where it sees fit) creates an additional risk to an entity’s reputation and its bottom line, should an incident occur. This added risk should drive entities to treat privacy risk as a significant whole of business issue.

On 29 March 2019, the Australian Competition and Consumer Commission ( ACCC ) published its draft rules for how the Consumer Data Right ( CDR ) will apply to the banking sector. The CDR is intended to provide Australians with greater control over their data and, while commencing in the banking sector, it will eventually apply across a range of sectors Customers will be empowered to obtain certain data held about them and also choose to share their data with certain third parties only for purposes they have authorised. This will enable consumers to compare between products and services and switch to more competitive service providers. The CDR is scheduled to be rolled out across the banking sector from July 2019, with industries such as energy and telecommunications to follow.

Privacy and data protection


Under the recently released banking proposal, methods of requesting CDR data include: –– product data requests, where individuals may request CDR data that relates to a product offered by the data holder; and –– consumer data requests, where individuals may request data that relates to themselves. Alternatively, an accredited person may request CDR data on behalf of a consumer for the purpose of providing goods or servicing under a CDR contract with that individual. From 1 July 2019 the rights will apply to all major banks in relation to data on credit, debit cards, deposit, and transaction accounts. Data right on mortgages from major banks will become accessible in February 2020 and remaining products by July 2020. All other banks will follow the same roll-out starting 12 months after the major banks and the ACCC will have the power to adjust timeframes if necessary. The ACCC has flagged the commencement of CDR in the energy sector for the first half of 2020 and Treasury has hinted at the CDR being implemented economy-wide, based on the advice from the ACCC and the OAIC.

The Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (Cth) ( the Assistance and Access Act ) passed both houses of Parliament on 6 December 2018 and took effect on 9 December 2018. The Assistance and Access Act provides government agencies with powers to intercept and monitor electronic communications including communications that are protected by encryption technology. Under the Assistance and Access Act, technical capability / assistancenoticescanbe issued to companies by Australian government agencies, requiring them to remove any encryption and secure authentication on both devices and services so as to allow access to the data. Technical assistance requests may also be issued although compliance is voluntary. The Assistance and Access Act has been met with significant resistance, particularly from technology companies who argue that alteration to their systems to allow for compliance of technical capability notices will weaken their data security protocols and create backdoors which may potentially expose other consumer data. There are also concerns that exporting Australian technology will become more difficult.

Page 1 Page 2 Page 3 Page 4 Page 5 Page 6 Page 7 Page 8 Page 9 Page 10 Page 11 Page 12 Page 13 Page 14 Page 15 Page 16 Page 17 Page 18 Page 19 Page 20 Page 21 Page 22 Page 23 Page 24 Page 25 Page 26 Page 27 Page 28 Page 29 Page 30 Page 31 Page 32 Page 33 Page 34 Page 35 Page 36 Page 37 Page 38 Page 39 Page 40 Page 41 Page 42 Page 43 Page 44 Page 45 Page 46 Page 47 Page 48 Page 49 Page 50 Page 51 Page 52 Page 53 Page 54 Page 55 Page 56 Page 57 Page 58 Page 59 Page 60 Page 61 Page 62 Page 63 Page 64 Page 65 Page 66 Page 67 Page 68 Page 69 Page 70

Made with FlippingBook flipbook maker