ASIC has remade a legislative instrument that exempts Australian financial services (AFS) licensees from appointing a general insurance product distributor as their authorised representative. The ASIC Corporations (Basic Deposit and General Insurance Product Distribution) Instrument 2025/520 will extend the relief previously provided by ASIC Corporations (Basic Deposit and General Insurance Product Distribution) Instrument 2015/682 until 27 August 2030. This promotes the wide availability of general insurance products to consumers by reducing the compliance costs to providers. Criteria required to comply with the instrument In order to rely on the instrument, and provide a financial service without the need to be licensed or appointed as an Authorised Representative of a Licensee, the following criteria must be met: the principal must hold an Australian financial services licence covering the provision of the service; the service is dealing in a general insurance product; the provider is a product distributor of the licensee (but this does not include employees of the licensee); and the distributor is not an authorised representative of the licensee. Additional requirements when the general insurance products are distributed to Retail clients The licensee must have taken reasonable steps to ensure that when the distributor provides the financial service to a retail client: the distributor draws the client’s attention to the availability of a dispute resolution system of the licensee that covers complaints by the client in relation to the financial service and how that system may be accessed; and if the distributor is dealing in a general insurance product or a bundled consumer credit insurance product, the client is given information in writing about: (a) who the distributor acts for when providing the financial service; and (b) any remuneration (including commission) or other benefits that the distributor, or an associate of the distributor, may receive in respect of, or that is attributable to, the provision of the financial service. The Distributor must not provide financial product advice The ASIC instrument only applies to ‘dealing’. Dealing in a financial product within the meaning of s766C(1) Corporations Act (also refer RG 36 Part C) means: applying for or acquiring a financial product; issuing a financial product; varying a financial product; or disposing of a financial product. Arranging for a person to engage in the conduct referred to above also constitutes dealing. Arranging refers to the process by which a person negotiates for, or brings into effect, a dealing in a financial product (e.g. an issue, variation, disposal, acquisition or application). The person who is arranging may be acting for a product issuer, seller or consumer. As the instrument is restricted to ‘dealing’ only, this means that the distributor is not permitted to provide financial product advice, this restriction includes both general or personal advice. If the distributor requires authorisation to provide financial product advice, and the licensee is prepared to authorise the distributor to provide financial product advice, then the distributor must be appointed as an authorised representative of the licensee (or alternatively the distributor obtains their own AFSL). Typical general insurance situations when […]
ASIC is suing financial advice business Fortnum Private Wealth Limited alleging it failed to properly manage and mitigate cybersecurity risks. (ASIC Media release 25-143MR) In proceedings filed in the NSW Supreme Court, ASIC alleges Fortnum did not meet its obligations as an Australian financial services licensee because it failed to have adequate policies, frameworks, systems and controls in place to deal with cybersecurity risks. As a result, ASIC claims Fortnum exposed the company, its authorised representatives (ARs) and clients of its ARs to an unacceptable level of risk of a cyber-attack or a cybersecurity incident. While Fortnum introduced a specific cybersecurity policy from April 2021, ASIC contends the policy was not an adequate response to manage cybersecurity risk. Before Fortnum revised its policy in May 2023, several of its ARs experienced cyber incidents. One of these was a cyber attack that ASIC alleges led to a major breach and saw the data of more than 9,000 clients published on the dark web. As part of the action, ASIC alleges Fortnum did not: require that its ARs undertake a prescribed minimum amount of cybersecurity education or training, adequately supervise or monitor the cybersecurity risk management framework of its ARs, have any employees with specialised expertise or experience in cybersecurity or engage a consultant with appropriate expertise to assist with the development of its cybersecurity policy, and have a risk management system which addressed cybersecurity or policies, frameworks, systems or controls which enabled the identification and evaluation of cybersecurity risks across its ARs. ASIC is seeking a declaration and pecuniary penalty against Fortnum. Cybersecurity risks It is alleged by ASIC that in the course of their business, Fortnum’s ARs electronically received, stored and accessed confidential and sensitive personal information and documents in relation to Retail Clients, including (among other things) copies of identification documents, tax file numbers, and financial information such as bank account and credit card details (Personal Information). It was necessary for the clients of Fortnum’s ARs to provide their Personal Information in order to receive Personal Advice. As a result of the nature and extent of the Personal Information collected and held in the course of providing financial services, Fortnum and each of its ARs were potential targets for cyber-related attacks and cybercrimes, the consequences of which could include serious harm and loss. It therefore was, and is, incumbent on Fortnum in discharging its duties and obligations as a licensee to identify and understand the cybersecurity risks that it and its ARs faced, and to have adequate policies, frameworks, systems and controls in place to appropriately manage and mitigate those risks Alleged breaches of the Corporations Act 1) financial services were not provided efficiently, honestly and fairly, and thereby contravened s 912A(1)(a) by [Fortnum’s] failure to: implement any adequate cybersecurity policy to manage and mitigate cybersecurity risks for it and its authorised representatives (ARs); provide any adequate education or training to its ARs on cybersecurity; and iimplement any, or any adequate, processes, systems or frameworks for the oversight and monitoring […]
ASIC’s recent review of reportable situations (4th December 2024) revealed a number of poor practices among licensees (the review covered 14 licensees across all financial sectors): Licensees were generally slow to report to ASIC. The key driver of these delays was that licensees took a long time to identify breaches in the first place and begin investigating. When ASIC reviewed why this was happening, ASIC found that there were deficiencies in licensees’ incident management, particularly how they identified, escalated and recorded incidents. Most licensees had gaps in how they monitored their own compliance with the regime. These poor practices had real impacts on consumers. The failures to promptly identify breaches meant that licensees were very slow to rectify breaches and remediate customers. Start with a focus on incidents GI Licensees should focus on raising awareness for staff and authorised representatives so that they can identify and raise incidents. This ensures all potential harm and areas of continuous improvement are identified in a timely manner and potentially before a breach of obligations (or Industry Code has arisen). ASIC advises to adopt a simple definition of an incident. This reduces the risk of the business acting as a filter or blockage. Once an incident is pushed down the incident pipeline an experienced person can review the incident and determine whether it is a breach, or likely breach, of an obligation. ‘An incident is an event that occurs where something has gone wrong.’ Operational risk incidents All incidents have the potential to cause harm or detriment. Adopt the APRA CPS 230 definition of operational risk: ‘Legal risk, regulatory risk, compliance risk, conduct risk, technology risk, data risk and change management risk. To this definition, add financial risk incidents (including insurance risk) and strategic risk incidents. Reportable situations Once an incident has been identified, raised and reported by the business and/or distributors & service suppliers the incident(s) need to be categorized and managed to ensure the proper treatment. Incidents need to be considered singularly and, as part of a group in case of an emerging trend or theme. Compliance incidents need to be considered in context of the reportable situations regime. In addition, they must be considered in context of all financial services laws, privacy laws and Code (where relevant) and the separate reporting regime that applies for APRA insurers, the privacy notifiable breaches scheme and the relevant industry Codes. The reportable situations regime arises under Section 912DAA Corporations Act (also refer RG 78). There are 3 types of reportable situations for general insurance: (a) breaches or ‘likely breaches’ of core obligations that are significant; (b) investigations into breaches or likely breaches of core obligations that are significant; (c) additional reportable situations. What does significant breach mean? There are two ways to determine whether a breach is significant: (a) Deemed significant breaches: In certain situations, a breach or likely breach of a core obligation is taken to be significant; Generally speaking a breach is deemed significant if it is a civil/criminal penalty breach however […]
AFS Licensed insurers, underwriting agencies, TPAs (insurance claim managers), general insurance brokers and claimant intermediaries must comply with the general obligations set out in Section 912A(1) Corporations Act. You must have measures for ensuring you comply with your obligations ASIC uses the expression ‘measures’ or ‘compliance measures’ to refer to your processes, procedures or arrangements for ensuring that, as far as reasonably practicable, you comply with your obligations as a licensee, including the general obligations (see RG 104.23-24). ASIC expects you too: (a) document your measures in some form; (b) fully implement them and monitor and report on their use; and (c) regularly review the effectiveness of your measures and ensure they are up to date Tip: For most licensees (other than APRA regulated insurers) a single, tailored (describing your business and your products/services & your obligations; & how these are managed), Risk & Compliance Manual is sufficient. The Manual should also include governance & breach management. Contact me for assistance. What are the general obligations? the financial services covered by the licence must be provided efficiently, honestly and fairly In INFO 253 ASIC provides insights into what this obligation means in context of claims handling & settling services. The principles can be provided to sales & underwriting. providing the financial services in a timely manner including meeting time frames and standards in the GI Code of Practice or Insurance Brokers Code of Practice providing the financial services in the least onerous and intrusive way possible providing the financial services fairly and transparently, and in a way that supports consumers, particularly ones who are experiencing vulnerability or financial hardship 2. have in place adequate arrangements for the management of conflicts of interest This means identifying conflicts of interests and managing them by: disclosure controlling (through key controls); and avoiding. All conflicts (& there management) should be included in a conflicts of interest register with training provided to employees and other representatives. 3. comply with the conditions on the licence The conditions on your AFS licence reinforce some of the general obligations, so breaching a licence condition will sometimes also be a breach of the general obligation that the condition relates to. You must have measures in place to manage your licence conditions including, for example, a key person requirement condition or for insurance brokers the use of restricted broker terms. 4. comply with the financial services laws Financial services laws is a wide concept and in addition to Corporations Act & ASIC Act includes any other Commonwealth, State or Territory legislation that covers conduct relating to the provision of financial services (whether or not it also covers other conduct), but only in so far as it covers conduct relating to the provision of financial services. Financial services laws therefore relevantly includes: Insurance Contracts Act, Insurance Act and other Acts applying to APRA regulated insurers and the Privacy Act. 5. take reasonable steps to ensure that its representatives comply with the financial services laws This obligation requires licensees to train and […]
The obligation One of the general obligations for AFS Licensees under Section 912A(1) Corporations Act is the ‘organisational competence obligation’. s912A(1)(e) ASIC assesses your compliance with this obligation by looking at the knowledge and skills of the people who manage your financial services business. ASIC refer to these people as your ‘responsible managers’. (refer RG 105) This is on ongoing obligation therefore it is important that your compliance measures, including how you comply with your obligations, are documented. How many responsible management should we nominate? At a minimum, you need to nominate responsible managers who: (a) are directly responsible for significant day-to-day decisions about the ongoing provision of your financial services; (b) together, have appropriate knowledge and skills for all of your financial services and products; and (c) individually, meet one of the five options for demonstrating appropriate knowledge and skills (refer Table 1 of RG 105). If you have a responsible manager with appropriate knowledge and skills for some, but not all, of your financial services or products, you need to ensure that your other responsible managers have appropriate knowledge and skills for the remaining services and products. The number of people you need to nominate as responsible managers will depend on the nature, scale and complexity of your business. However, ASIC expects that you will nominate at least two responsible managers. If you are heavily dependent on the competence of one or two responsible managers (e.g. in a small organisation with one or two principals), ASIC will generally impose a ‘key person’ condition on your AFS licence. Telling ASIC about your responsible managers You must demonstrate your organisational competence when you apply for an AFS licence. You may also need to demonstrate your organisational competence if you later apply to vary your licence authorisations. When you apply for an AFS licence, or to vary your licence authorisations, you must nominate your responsible managers in your application and answer questions about their role, training and experience, and which of the five options in they meet. You must also support your application with a ‘core proof’ demonstrating that your responsible managers: (a) individually meet one of the five options for demonstrating appropriate knowledge and skills; and (b) together have appropriate knowledge and skills to cover all of your financial services and products You must advise ASIC within 10 Business Days when you remove or add a responsible manager, refer the following link Changing your responsible managers If the responsible manager you are changing is named on your AFS licence as a key person, you must also apply to vary the key person condition on your licence. (Form FS03) If you need assistance with adding/removing responsible managers or varying your AFS Licence conditions, contact me. Obligations of a responsible manager The obligation for organisational competence applies to the licensee not the responsible manager with civil penalties applying for non-compliance however responsible managers may be subject to banning or disqualification orders for failing to fulifill their duties. The following cases are relevant […]