ASIC’s new website provides streamlined access to licence management services including easy access to ASIC portals such as the new Regulatory Portal for applying for a new AFS Licence or managing an existing licence. In addition, the wesbite provides a wide range of very useful regulatory resources. Regulatory resources for AFS Licensees in general insurance The following pages are relevant for firms providing general insurance products or services: Note: APRA Regulated insurers should also refer to the resources on APRA’s webapge. I’ll cover these resources in a seperate article. regulatory resources search financial services insolvency corporate governance Regulatory resources research This page enables users to search for regulatory guides, information sheets, reports, ASIC consultations. forms and ASIC instruments. Advanced search functionality enables the search to be focused, relevantly, on financial services, financial reporting, dealing with ASIC, financial advice & technology. Financial services Any AFS Licensee in general insurance should bookmark this page There are a number of sub-categories which are very helpfully categorised as follows: regulatory reforms financial advice giving advice financial product disclosure design & distribution obligations dispute resolution reportable situations client money reporting financial accountability regime claims handling and settling AFS Licensees I would also recommend that you bookmark these pages: Information for AFS Licensees ASIC Regulatory Portal – Applications for a new AFS licence, variation or cancellation of an existing licence, or notifications of some changes to an existing licence. Information for AFS Licensees This page also includes links to: Do you need an AFS Licence? Applying for and managing an AFS licence AFS Licensee obligations Changing details and lodging forms varying or cancelling your AFS licence AFS Licensee obligations A comprehensive page that provides a great overview of your obligations as an AFS licensee with links to the relevant ASIC Regulatory Guides and Information Sheets. Insolvency As an AFS licensee (other than APRA regulated insurers), you must meet the base level financial requirements. This includes the solvency and positive net assets requirement – At all times you must be solvent (i.e. be able to pay all your debts as and when they become due and payable) and have total assets that exceed total liabilities (as shown in your most recent annual balance sheet lodged with ASIC), and at all times have no reason to suspect that total assets would no longer exceed total liabilities on a current balance sheet. This ASIC page contains useful general information on insolvency. Corporate governance This is a very useful page for Directors and Company officers. The page also includes a sub-link to cyber resilience and a very useful series of ASIC speeches in connection with Directors as gatekeepers. I will use this page to publish a future article on the role of Directors in setting the right culture. Disclaimer: Reproduction of statements made in this article by media outlets, whether in full or in part, is strictly prohibited without the written express consent of the author. The views, opinions, and positions expressed within this article are those solely of the […]
ASIC is suing financial advice business Fortnum Private Wealth Limited alleging it failed to properly manage and mitigate cybersecurity risks. (ASIC Media release 25-143MR) In proceedings filed in the NSW Supreme Court, ASIC alleges Fortnum did not meet its obligations as an Australian financial services licensee because it failed to have adequate policies, frameworks, systems and controls in place to deal with cybersecurity risks. As a result, ASIC claims Fortnum exposed the company, its authorised representatives (ARs) and clients of its ARs to an unacceptable level of risk of a cyber-attack or a cybersecurity incident. While Fortnum introduced a specific cybersecurity policy from April 2021, ASIC contends the policy was not an adequate response to manage cybersecurity risk. Before Fortnum revised its policy in May 2023, several of its ARs experienced cyber incidents. One of these was a cyber attack that ASIC alleges led to a major breach and saw the data of more than 9,000 clients published on the dark web. As part of the action, ASIC alleges Fortnum did not: require that its ARs undertake a prescribed minimum amount of cybersecurity education or training, adequately supervise or monitor the cybersecurity risk management framework of its ARs, have any employees with specialised expertise or experience in cybersecurity or engage a consultant with appropriate expertise to assist with the development of its cybersecurity policy, and have a risk management system which addressed cybersecurity or policies, frameworks, systems or controls which enabled the identification and evaluation of cybersecurity risks across its ARs. ASIC is seeking a declaration and pecuniary penalty against Fortnum. Cybersecurity risks It is alleged by ASIC that in the course of their business, Fortnum’s ARs electronically received, stored and accessed confidential and sensitive personal information and documents in relation to Retail Clients, including (among other things) copies of identification documents, tax file numbers, and financial information such as bank account and credit card details (Personal Information). It was necessary for the clients of Fortnum’s ARs to provide their Personal Information in order to receive Personal Advice. As a result of the nature and extent of the Personal Information collected and held in the course of providing financial services, Fortnum and each of its ARs were potential targets for cyber-related attacks and cybercrimes, the consequences of which could include serious harm and loss. It therefore was, and is, incumbent on Fortnum in discharging its duties and obligations as a licensee to identify and understand the cybersecurity risks that it and its ARs faced, and to have adequate policies, frameworks, systems and controls in place to appropriately manage and mitigate those risks Alleged breaches of the Corporations Act 1) financial services were not provided efficiently, honestly and fairly, and thereby contravened s 912A(1)(a) by [Fortnum’s] failure to: implement any adequate cybersecurity policy to manage and mitigate cybersecurity risks for it and its authorised representatives (ARs); provide any adequate education or training to its ARs on cybersecurity; and iimplement any, or any adequate, processes, systems or frameworks for the oversight and monitoring […]
A positive compliance culture, one that truly embraces compliance, ensures that compliance serves its true purpose – to protect. If you begrudge compliance, it’s likely that you and your team see compliance as a bunch of rules that get in the way of doing business. Choosing a safe vehicle to protect your loved ones. When looking for a new or used car, you may consider buying one with some safety features. You may look for new cars that have a 5 star Australasian New Car Assessment Program (ANCAP) rating. Vehicle safety features can significantly improve safety. Technologies like autonomous emergency braking (AEB), blind-spot monitoring and lane-support systems can reduce the risk of a crash. Side curtain airbags can reduce the severity of an injury if a crash cannot be avoided. Going beyond this, we have a strict drivers licensing regime requiring knowledge and application of the road rules. Finally, we have a set of complicated road rules that govern road usage. In NSW alone these rules cover 353 clauses not including sub-clauses, amendments and regulations, Notwithstanding the complexity & cost (& at times frustrations of fines & lost points) of the governance around the use of a motor vehicle, we accept it. Why? because we know that this system of governance protects people & the community that we care about . There is a connection between the head and the heart. Compliance in general insurance is no different, compliance protects what matters. Compliance should not only engage your head, it should engage your heart. Protecting what matters, what you care about. Compliance: protecting what matters It is clear that compliance protects our customers and clients. However, it also protects our people, colleagues, your business, your partners and the wider community. Compliance protects against the risk of non-compliance, such as: Customers and clients: protecting against financial harm or detriment, anxiety, stress, mental health, frustration and time. The business: protecting against financial impact, loss of licence, regulatory enforcement action, reputational impact, lost management time. Your people and representatives: protecting against banning/disqualification, civil penalties, reputation, frustration, stress. Your business partners: protecting against reputational impact, enhanced regulatory scrutiny, financial impact. The community: protecting against systemic insurance industry failures, mistrust, failure to insure. How does compliance protect in general insurance? Imagine a fort: fortified protection through towers and walls designed to protect what matters. A fort provides safety to those within its walls. Compliance protects what matters: customers/clients, the business and its people, partners, stakeholders and the community. How? The four pillars (towers) of Compliance Compliance must have an operating rhythm, producing data indicating the adequacy of your compliance measures, evolving as your business grows and responding to external & internal change. Compliance is an ecosystem continually protecting what matters. The compliance operating rhythm is a structured, predictable way a business operates through its compliance measures incorporating: Governance & frameworks People & culture Procedures & process Systems & reporting Layers of protection Surrounding the fort are layers (walls) of protection. Compliance measures are your combination […]
ASIC previously examined insurers’ claims handling practices following the major floods of 2022 and found weaknesses across key areas. ASIC’s findings were consistent with other reviews, including the House of Representatives Standing Committee on Economics inquiry into insurers’ responses to the 2022 major floods. Recently, ASIC went back to assess how home insurers had addressed the areas of improvement identified in Report 768 Navigating the storm: ASIC’s review of home insurance claims (REP 768), published in August 2023. ASIC’s latest review has found that while insurers implemented programs to improve claims handling functions in recent years, and some progress has been made, there is still significant room for further improvement. ASIC identified that without further work, there is considerable risk of ongoing consumer harm, as well as breaches of Australian financial services (AFS) licensee obligations and the General Insurance Code of Practice (Code). Claims handling obligations Insurers holding an AFSL must meet the general obligations of financial service licensees under s912A(1) Corporations Act. These obligations include providing the claims handling & settling services efficiently, honestly and fairly. ASIC provides guidance on these obligations in INFO 253. ASIC can take enforcement action for a breach of obligations as an AFS Licensee. This includes cancelling or suspending the AFS Licence or imposing conditions on the licence as well as seeking civil penalties. Insurers who subscribe to the Code must comply with, and ensure their employees and Service Suppliers comply with the requirement to be honest, efficient, fair, transparent and timely in all dealings with customers (paragraph 21). Additional obligations arise under Parts 5 (Standards for Service Suppliers), 8 (Making a claim), 9 & 10 (customers experiencing vulnerability including financial hardship), 11 (Complaints), 12 (access to information) and 15 (Claims Investigation Standards). A breach of the Code can lead to sanctions being imposed by the Code Governance Committee with Significant breaches or serious misconduct being reported to ASIC. Insurers must act with the Utmost Good Faith under Section 13 of the Insurance Act With effect from 1 July 2025, CPS 230 applies to insurers (other than Lloyd’s underwriters). ‘Claims processing’ is deemed a critical operation under paragraph 36. Insurers must (1) take reasonable steps to minimise the likelihood and impact of disruptions to its critical operations, and; (2) identify and maintain a register of its material service providers (this includes those providing claim services) and manage the material risks associated with using these providers. What ASIC found ASIC’s review revealed that general insurers made progress to address the areas for improvement identified in their August 2023 report, which focused on better consumer communications, project management, handling of complaints, identification and treatment of vulnerable customers, and resourcing for dealing with claims and complaints. However, ASIC found there was inconsistent progress across the industry and still room for more work. ASIC have outlined high-level observations (see below). High level observations Oversight of independent experts needs work Insurers generally have well-documented quality assurance over their builders and repairers. This includes monitoring data on key performance […]
Misleading or deceptive regulatory obligations The Corporations Act prohibits engaging in conduct, in relation to a financial product or a financial service, that is misleading or deceptive or is likely to mislead or deceive (s1041H). Further, under the the ASIC Act, a person must not, in trade or commerce, engage in conduct in relation to financial services that is misleading or deceptive or is likely to mislead or deceive (s12DA). A breach of the misleading or deceptive conduct provisions is a Reportable Situation to ASIC (other than conduct impacting a single customer where no harm is caused). What is misleading or deceptive conduct? The key requirement is that the impugned conduct leads, or is likley to lead, a person into error. Advertising financial products and services (including insurance): Good practice guidance ASIC has developed good practice guidance (RG 234) to help promoters comply with their legal obligations to not make false or misleading statements or engage in misleading or deceptive conduct. The promoter will sometimes be the insurer, underwriting agency or broker but can also be a distributor or agent. ASIC’s guidance applies to advertising communicated through any medium in any form, including: magazines and newspapers radio and television; outdoor advertising, including billboards, signs at public venues, and transit advertising; the internet, including webpages, banner advertisements, video streaming (e.g. YouTube), and social networking and microblogging (e.g. LinkedIn); social media and internet discussion sites; mobile phone messages (e.g. SMS, MMS, text messages); product brochures and promotional fact sheets; direct mail (e.g. by post, facsimile or email); telemarketing activities and audio messages for telephone callers on hold; and presentations to groups of people, seminars and advertorials. Overview of Good practice guidance The following is extracted from RG 234, I have added general insurance context where relevant to do so. Returns, features, benefits and risks Advertisements for general insurance products should give a balanced message about the returns, features, benefits and risks associated with the product. Benefits should not be given undue prominence compared with risks. Warnings, disclaimers, qualifications and fine print Warnings, disclaimers and qualifications should not be inconsistent with other content in an advertisement, including any headline claims. Warnings, disclaimers and qualifications should have sufficient prominence to effectively convey key information to a reasonable member of the audience on first viewing the advertisement. Consumers should not need to go to another website (or other page of the website) or document (such as a PDS or TMD) to correct a misleading impression. Fees and costs Where a fee or cost is referred to in an advertisement, it should give a realistic impression of the overall level of fees and costs a consumer is likely to pay, including any indirect fees or costs. The premium, commission and government charges should be clearly identified. Comparisons Comparisons should only be made between products that have sufficiently similar features or, where an advertisement compares different products, the differences should be made clear in the advertisement. This is important for comaprison websites. Use of certain terms […]
Insurers, Underwriting Agencies (MGA), Insurance Claims Managers (TPA), Insurance Brokers and any other entity who holds an AFSL for general insurance has general obligations that must be complied with: A financial services licensee must: do all things necessary to ensure that the financial services covered by the licence are provided efficiently, honestly and fairly. have in place adequate arrangements for the management of conflicts of interest (also refer RG 181) comply with the conditions on the licence. The standard licence conditions are set out on PF 209 and include a ‘key person requirement condition’ if you are heavily dependent on the competence of one or two responsible managers (refer RG 105,52) comply with the financial services laws. These include Chapter 7 Corporations Act, ASIC Act Part 2 Div 2, Insurance Contracts Act, Insurance Act (including Prudential Standards & legislation specifically for APRA regulated insurers) and the Privacy Act. have available adequate resources (including financial (see RG 166) , technological (RG 104.97-100) and human resources (RG 104.93-96)) to provide the financial services covered by the licence and to carry out supervisory arrangements. This obligation does not apply to APRA regulated insurers. maintain the competence to provide those financial services (refer RG 105) ensure that its representatives are adequately trained, and are competent, to provide those financial services (RG 104.81-88) have an IDR system that meets the enforceable paragraphs of RG 271 and be a member of AFCA have adequate risk management systems (RG 104.59-66). This obligation does not apply to APRA regulated insurers. comply with regulation 7.6.04. This includes keeping training records, advising ASIC of certain matters & requirements in respect of authorised representatives. ASIC’s approach to the broad compliance obligations The broad compliance obligations are both stand-alone obligations and obligations that encompass the other general obligations. This means that: (a) if you fail to comply with one or more of the other general obligations, you are also likely to breach the broad compliance obligations; and (b) even though you may be complying with all of the other general obligations, you may still be in breach of the broad compliance obligations. This is because the broad compliance obligations are also stand-alone obligations (RG 104.54) Reportable situations to ASIC Obligations 1, 2, 5, 6, 7, 8, 9, 10 are civil penalty provisions. Therefore a breach of these obligations is a Reportable Situation to ASIC (see 912D(4)) all other breaches must be assessed under the criteria in s912D(5). Documenting your Compliance measures It is common for some licensees’ compliance measures to be integrated into their risk management systems. Compliance measures can be one of several controls you can use to address or mitigate risks to your business (including the risk of non-compliance with your obligations under the Corporations Act). (refer RG 104.48) Documentation helps you demonstrate whether or not you are complying with the general obligations. When you document your measures, ASIC expects this will include details of who is responsible, the timeframes involved and associated record keeping and reporting. (RG 104.26) […]
ASIC’s recent review of reportable situations (4th December 2024) revealed a number of poor practices among licensees (the review covered 14 licensees across all financial sectors): Licensees were generally slow to report to ASIC. The key driver of these delays was that licensees took a long time to identify breaches in the first place and begin investigating. When ASIC reviewed why this was happening, ASIC found that there were deficiencies in licensees’ incident management, particularly how they identified, escalated and recorded incidents. Most licensees had gaps in how they monitored their own compliance with the regime. These poor practices had real impacts on consumers. The failures to promptly identify breaches meant that licensees were very slow to rectify breaches and remediate customers. Start with a focus on incidents GI Licensees should focus on raising awareness for staff and authorised representatives so that they can identify and raise incidents. This ensures all potential harm and areas of continuous improvement are identified in a timely manner and potentially before a breach of obligations (or Industry Code has arisen). ASIC advises to adopt a simple definition of an incident. This reduces the risk of the business acting as a filter or blockage. Once an incident is pushed down the incident pipeline an experienced person can review the incident and determine whether it is a breach, or likely breach, of an obligation. ‘An incident is an event that occurs where something has gone wrong.’ Operational risk incidents All incidents have the potential to cause harm or detriment. Adopt the APRA CPS 230 definition of operational risk: ‘Legal risk, regulatory risk, compliance risk, conduct risk, technology risk, data risk and change management risk. To this definition, add financial risk incidents (including insurance risk) and strategic risk incidents. Reportable situations Once an incident has been identified, raised and reported by the business and/or distributors & service suppliers the incident(s) need to be categorized and managed to ensure the proper treatment. Incidents need to be considered singularly and, as part of a group in case of an emerging trend or theme. Compliance incidents need to be considered in context of the reportable situations regime. In addition, they must be considered in context of all financial services laws, privacy laws and Code (where relevant) and the separate reporting regime that applies for APRA insurers, the privacy notifiable breaches scheme and the relevant industry Codes. The reportable situations regime arises under Section 912DAA Corporations Act (also refer RG 78). There are 3 types of reportable situations for general insurance: (a) breaches or ‘likely breaches’ of core obligations that are significant; (b) investigations into breaches or likely breaches of core obligations that are significant; (c) additional reportable situations. What does significant breach mean? There are two ways to determine whether a breach is significant: (a) Deemed significant breaches: In certain situations, a breach or likely breach of a core obligation is taken to be significant; Generally speaking a breach is deemed significant if it is a civil/criminal penalty breach however […]
The use of technology in general insurance is increasing at a cautious pace due to the perceived lack of regulatory guidance or guardrails. APRA guardrails In respect of the General Insurance industry, it’s more likely that APRA will shape the governance for the use of technology rather than ASIC. Having said that, the influence of ASIC will continue to be significant at the operational level especially for Insurance brokers. We have already seen the influence of CPS 234 (Information security) on the industry & moreso with CPS 230 (Operational risk). APRA regulated insurers are responsible for their service suppliers therefore the Prudential Standards result in a cascading effect leading to industry change for Insurers and their Underwriting Agencies, TPAs and other service suppliers. A similar situation exists for Lloyds coverholders due to UK regulations and governance applying to Lloyds underwriters. ASIC recently released REP 798 Beware the gap: Governance arrangements in the face of AI innovation (29th October 2024). ASIC reviewed how 23 AFS licensees and credit licensees are using and planning to use artificial intelligence, how they are identifying and mitigating associated consumer risks, and their governance arrangements. The report outlines the key findings from that review. ASIC commented but on the whole, the way licensees used AI was quite cautious in terms of decision making and interactions with consumers: AI generally augmented rather than replaced human decision making and there was only limited direct interaction between AI and consumers. From a regulatory compliance perspective, the blending of human expertise and technology efficiency appears to be the sensible approach in the short to medium term. As a rule of thumb, the more severe the consequences of non-compliance, the higher involvement of people in technology driven processes and decision-making. The theme from ASIC’s report was that the (t)he maturity of governance and risk management did not always align with the nature and scale of licensees’ AI use (finding 7). This supports an APRA driven approach for governance. Start with insurers and allow the changes to cascade downstream to service suppliers and throughout the industry. Regulations are technology neutral It’s important to note that financial services laws are technology neutral. The AFSL general obligation to provide financial services ‘efficiently, honestly and fairly’, does not care whether human or technological means are used to provide the financial services, provided the overarching obligation is met. This is supported by the AFSL adequate resources general obligation, requiring AFS Licensees to have adequate resources (that is, the adequacy of human, technological and financial resources) to provide the financial services. This requirement does not apply to APRA regulated insurers as their obligations in this respect are covered by Prudential Standards such as CPS 234 and 230. Technology and the law – General insurance: where to start? The starting point should be Australia’s AI Ethics Principles Australia’s 8 Artificial Intelligence (AI) Ethics Principles are designed to ensure AI is safe, secure and reliable. They will help: achieve safer, more reliable and fairer outcomes for all Australians reduce […]
Change is constant – none moreso the case in General Insurance – regulatory change, upcoming Code changes, changes due to regulator reviews, Court decisions, Code compliance reviews, the list is endless, add to that internal change due to binder & capacity changes, service supplier changes and the list goes on. Large insurers manage change through project management teams & change pipelines however what do you do if your resources are limited? This article has been written for Underwriting Agencies, Lloyds coverholders, Insurance Brokers, TPAs, Service Suppliers & small to medium sized insurers who must manage regulatory change and remain compliant through the complexity created by change. 1. The importance of a compliance operating rhythm The starting point is to have a tailored to your business, Risk & Compliance Manual that describes your compliance measures and provides you with an operating rhythm to managing risk & compliance. The Manual must include your obligations (financial services laws, GI or NIBA Code, binder agreement(s), service supplier agreements etc) and the key controls that are assigned to manage the obligations. A seperate Obligations register is suitable for larger firms provided the register is referenced in the Manual including how the register is managed. 2. The source of regulatory change Your manual must identify your sources of regulatory change. They are numerous and generally include (for non-lawyers) signing up to receive email feeds from regulators such as ASIC, APRA, OAIC, Austrac, ACCC AFCA Industry Associations such as ICA, NIBA, UAC and Insurtech Australia Financial services legal firms Insurance news services me via my Linkedin posts and my monthly Newsletter Navigating Compliance in General Insurance Also be mindful of internal change or change from your business partners. 3. High level review You’ve identified the regulatory change. What next? At this stage ask 3 questions: does this change apply to General Insurance? and, if so, does this change apply to the cohort I’m part of? (brokers, underwriting agency, TPA, service suppliers, insurers); and/or will this change impact me upstream/downstream (eg a Prudential Standard or the GI Code of Practice that applies to an insurer)? If yes to these questions proceed with step 4 otherwise ignore the change. 4. Deep analysis You need to work out the impact of the regulatory change to your business. It is useful to engage with your Industry Association, peers or your risk & compliance advisor (I’m happy to assist with any queries) to understand the common approaches that are being adopted across the industry to the regulatory change. Adopting the Who, What, When, Where, Why, and How approach is useful start with ‘why’ and understand the underlying rationale and purpose of the change ‘what’ is about the details. What does the new law require me to do? ‘when’ does the regulatory change take effect? This assists in planning the runway. ‘Where’ does the regulatory change apply? eg underwriting, claims, broking ‘how’ provides the details of what you must do to comply with the new regualtory change ‘who’ does the change apply to […]
An Australian financial services licensee (Kalkine) must appoint an independent compliance consultant to address ASIC concerns that the Kalkine’s customer service representatives were giving unlicensed advice. (refer ASIC Media Release 25-085MR) New licence conditions have been imposed on the Kalkine’s licence to ensure compliance with its obligations as an AFS licensee. These conditions require Kalkine to engage a consultant to review, assess and report to ASIC whether Kalkine’s interactions with its customers are compliant and its supervision mechanisms are adequate. ASIC had concerns that: Kalkine’s representatives, who are based in India, may have provided personal advice as part of the sale of subscription services when Kalkine’s AFS licence only authorised it to provide general financial product advice, Kalkine’s representatives may have misrepresented to customers the kind of advice being given, by qualifying this as general advice but leaving customers with the impression that the advice was directed to their own personal circumstances, Kalkine failed to do all things necessary to ensure that the financial services covered by its AFS licence were provided efficiently, honestly and fairly including but not limited to ensuring the advice being given by its representatives was appropriate and within the scope of its licence, and Kalkine’s processes to ensure that its representatives were complying with the law when interacting with consumers were inadequate. Westpac case and personal advice The High Court in Westpac Securities Administration Ltd v Australian Securities and Investments Commission [2021] HCA 3 held that WSAL and BTFM breached the Corporations Act by providing personal financial product advice in calls made to 14 customers. Neither company was licensed to provide personal financial advice. The decision of the High Court clarified the difference between general and personal advice for consumers and financial services providers. ASIC Commissioner Danielle Press said (ASIC Media Release 3 February 2021), ‘The High Court has provided clarity concerning the differences between personal advice and general advice. Westpac were actively conducting a sales campaign aimed at rolling customers into Westpac products under the banner of general advice.’ In the judgment, Justice Gordon reinforced that s766B(3) of the Corporations Act, which outlines the meaning of general and personal advice, ‘is directed to the protection of the retail client’ and clarified that ‘[…] the general advice warning must be assessed in light of all the circumstances. The general advice warning was given only once, at the beginning of the telephone conversation. Members were subsequently asked directly about their personal objectives. Members were not encouraged to seek personal advice before deciding whether to accept the rollover service.’ Key compliance takeaways A General Advice Warning does not make the advice provided general advice. It is substance over form When you are giving general advice to a client, in addition to giving a general advice warning, it is good practice to take reasonable steps to ensure that the client understands upfront that they are getting general advice and not personal advice. You should take reasonable steps to ensure that the client understands that you have not taken […]