AFCA have published its updated Approach to family violence and Approach to financial abuse of older people following a comprehensive consultation process. AFCA have: expanded and refreshed the Approach to family violence, which will replace AFCA’s existing Approach to joint accounts and family violence revised and updated the Approach to financial abuse of older people, which will replace the superseded Approach to financial elder abuse. I have extracted the parts of the Approaches relevant to General Insurance however the full Approaches should be considered and can be accessed here. The AFCA Approach to family violence What is family violence? The Family Law Act 1975 (Cth) defines family violence as: “…violent, threatening or other behaviour by a person that coerces or controls a member of the person’s family (the family member),or causes the family member to be fearful.” Family violence can have serious and lasting effects on a person’s physical, psychological and financial wellbeing. These impacts may compound over many years. Family violence impact does not necessarily end when the relationship does. In some cases, it can begin or escalate after the relationship has ended. Family violence refers to both intimate partner violence and violence between family members. This includes (but is not limited to): physical, psychological, sexual and emotional abuse coercive control financial abuse parental or elder abuse General insurance Family violence in the misuse of insurance products is a growing risk. Insurance policies can be exploited to perpetrate abuse by changing or cancelling policies, changing beneficiaries, restricting access to information, interfering with the claims process, or preventing victim-survivors from obtaining a payout. Warning signs of potential family violence and financial abuse There are warning signs that a customer may be experiencing family violence and/or financial abuse specific to insurance products. These may include when one policyholder may: not understand, or is not aware, that: > cover has been taken out in their name or covering their property > they have been removed from a policy or the policy has been cancelled by a joint policyholder have concerns about protecting their personal privacy or safety or the security of their policies be reluctant to involve the other joint policyholder when making changes to the policy, making a claim or seeking hardship assistance. Warning signs that a policyholder may be a perpetrator of family violence include that they: ask questions about a joint policyholder’s behaviour or activities request to remove the other joint policyholder from a policy or claim are reluctant to involve the other joint policyholder when making changes to the policy, making a claim or seeking hardship assistance. Common issues that may arise In the context of insurance, issues that may arise with jointly held policies in situations involving family violence, include: cancellation of the policy by one policyholder payment of benefits under a jointly held policy disadvantage to innocent co-insured by a perpetrator’s failure to disclose perpetrators forcing victim-survivors to pay an excess following an accident policies that may exclude damage to property by the perpetrator of family […]
The true purpose of Compliance What is your compliance narrative? Is it about rules, regulations and laws? A legalistic approach to compliance does not engage your people and projects compliance as a series of task and activities that must be undertaken – hardly inspiring or motivational, with the outcome that compliance is often reactive in nature. How do you change the compliance narrative so that it is about people and caring, driving a proactive approach to compliance? The true purpose of compliance is to protect. The question becomes – protect who and from what? Your firm’s response to this fundamental question is important. People are motivated to act by caring, and its what we care about, that we want to protect. The protect analogy Think about driving a car. You need a drivers licence to drive a motor vehicle on a public road. This licensing process requires you to gain knowledge and skills to operate a motor vehicle in accordance with the road rules. Why? to protect yourself, people you care about (as your passengers), other road users and the community from the cost of motor vehcile accidents – fatalities, injuries and property damage and consequential social costs. Similarily, in order to conduct a general insurance business in Australia you need to be authorised by APRA and to provide a financial service (which includes general insurance) you need to be licensed by ASIC, or be a representative of a licensee. Like a drivers licence, you need to demonstrate to APRA and ASIC the knowledge, skills, and experience in general insurance with the approriate capital requirements and human, financial and IT resources with people who meet standards of honesty, ethics and integrity. Why, to protect what matters, and who you care about. Let’s explore this further. Who does compliance protect? Compliance, in a general insurance context, protects: our customers, clients and consumers from the risk of financial harm and detriment and consequential impacts on their life, business and assets (due to issues such as availability and affordability; partial or total declined claims; underinsurance, claim delays etc); our people (this includes staff, external representatives, material service providers and anyone involved in the insurance sales & claims supply chain) from the risk of being banned or disqualified, individual fines & penalties, damage to their reputation and asscoaited mental health issues and impacts to the enjoyment of their life; our business – the risk of fines & penalties, loss of licence, enforcement action, lost management time, loss of business, reputational impacts and class actions including shareholder actions for ASX listed entities; our business partners such as insurers, MGAs, TPAs, service suppliers, authorised representatives, referrers, distributors, and material service providers from the risk of financial and reputational harm, regulatory enforcement action, loss of business partner and associated loss of business; and the community, arising from systemic failures and mistrust in the general insurance industry. What happens when we care? Caring motivates people to take action, and to perform tasks that make a positive difference. This […]
The following are extracted from remarks by ASIC Commissioner Alan Kirkland at the Insurance Council of Australia Annual Conference on 10 October 2025. I have grouped the remarks under various headings for ease of reference. The full speech may be accessed here. Claims handling – 2022 floods It’s hard to forget those who let you down when you’ve had a hard time – and that was unfortunately the experience of many Australians in the aftermath of the 2022 floods. “Some people, who turned to their insurer in their darkest hour after paying premiums for years, felt that they became engaged in an adversarial situation with a company meant to be on their side.”[9] That quote is from the House of Representatives Standing Committee on Economics report into claims handling failures after the 2022 floods, which was handed down almost a year ago. It’s fair to say that there remains a significant trust gap to be addressed following this report. Reputation data from RepTrak[10] and Roy Morgan[11] suggests that insurance is among Australia’s most distrusted industries – and you only need to look at the testimony of individuals impacted to understand why. David Norris, whose family owned the Central Hotel in Eugowra, told the inquiry after more than 60 years with their insurer it was apparent that “loyalty only goes one way[12]. This is the challenge that must be addressed by you as you try to “pitch your tent” in the middle of these storms – showing people like David that loyalty is a two-way street. Areas of improvement in claims handling As insurers though, you are in the business of recovery. You know that rebuilding doesn’t happen overnight. It takes continual effort and care. And we know from our latest review that some of you are putting in the work and starting to see some green shoots of recovery as a result of that work. As noted recently by AFCA[13], the industry has made progress on reducing historically high complaint numbers, which should be commended. And we have also observed some promising signs in our recent follow-up on Report 768 – which of course was the report that examined claims handling practices following the 2022 floods[14]. When that report was published, we found that poor communications, poor resourcing, and poor treatment of vulnerable customers were endemic across the insurance industry. But it is clear that a lot of work has happened in the past two years in response to those findings. For example, every insurer we looked at this time around had established a program to improve their approach to claims handling. Most had introduced a single point of contact for claims, so customers didn’t have to tell their stories over and over again. Some had gotten smarter about how they used their data to identify and support vulnerable customers, before and after major events. And a few went beyond this – towards truly consumer-centric practices. For example, we’ve seen some insurers appoint a dedicated consumer advocate to be a […]
Last month I attended the AILA 2025 National Conference in Melbourne. One of the highlights was the regulators panel featuring: Jane Magill Executive Director General Insurance & Banking, APRA Peter Soros Executive Director, Regulation & Supervision, ASIC David Locke CEO, AFCA Chair Alexandra Hordern General Manager, Regulatory & Consumer Policy, ICA (Insurance Council of Australia) General insurance – areas of increased regulatory oversight The following areas were identified as subject to regulatory oversight during 2026: it was noted the increased complaints for motor vehicle insurance, this will be a focus for ASIC claims handling is improving however areas such as cash settlements will be a focus risk culture including how this permeates throughout the organisation feedback on CPS 230 based on reviews of larger insurers the use of AI however both ASIC and APRA consider that the existing regulatory regime is sufficient to manage the risks and are continuing to observe this space. A human should be involved in any AI decision-making process. APRA will be undertaking a narrow review of larger entities to test that principle based Prudential Standards 220, 230 & 234 are adequate to manage the risk of AI the use of AI by complainants as part of the IDR and EDR was observed and is being considered by AFCA (and is consistent with what I’m being told by my clients) pricing; the expectation is for transparency, and insurers to recognise efforts by insureds to improve their own risk sustainability reporting requirements The role of the regulator David Locke provided the following view on the role of the regulator which I have produced below with David’s permission: As a regulator your role is to clearly spell out where the red and yellow flags are on the beach and make it very easy for the public (and financial firms) to swim between the flags. There will always be some people who drift or accidentally swim just outside them and you blow your whistle and use the lightest regulatory tools necessary to get them to swim back in safe water. You then focus the majority of your compliance resources on the idiots jumping off the rocks at the end of the beach. You want to prosecute them to deter others from doing so, and in some cases want them permanently off the beach. David’s analogy strongly resonates with my ‘Compliance protects what matters‘ theme. A company’s compliance arrangements can serve a similar purpose of keeping their people and other representatives swimming safely between the flags (that is: conducting general insurance business efficiently, honestly, fairly, transparently and timely) by adopting the following compliance operating rhythm: the documented compliance process and procedures, training and IT systems provides a safe place to conduct business protecting the business, its people, its customers and cliients and its business partners; the firm’s people acting as ‘an early warning system’ to quickly identify and raise incidents and complaints; an effective monitoring program; and a culture of wanting to do the right thing. Disclaimer: Reproduction of statements […]
Underwriting Agencies generally require an APRA-regulated insurer as a partner to provide general insurance products in Australia. The Underwriting Agency typically has delegated binding authority from an insurer (see section 916E Corporations Act). In this instance, the Agency is acting on behalf of the insurer. In other arrangements, such as an open-market placement, it’s likely that the agency is acting on behalf of the insured (commonly referred to as wholesale broking) and would require the relevant authorisation under their AFS Licence. It is necessary for an Underwriting Agency to ensure that the insurer is authorised by APRA to carry on general insurance business in Australia. Who is an insurer and what authorisation does an insurer require to carry on general insurance business in Australia? Under the Insurance Act 1973, it is an offence to conduct insurance business in Australia without the proper authority. If your business intends to conduct any business that can be classed as insurance business, you need a licence from APRA giving you the authority to conduct insurance business in Australia. Part 3 of the Insurance Act defines ‘insurance business’ as the business of undertaking liability by way of insurance (including reinsurance), in respect of any loss or damage. It includes liability to pay damages or compensation, contingent upon the happening of a specified event, and any business incidental to insurance business as so defined. There are some exclusions to the definition of insurance business, such as life insurance (covered by the Life Insurance Act 1995) and health insurance (covered by the Private Health Insurance Act 2007). The Insurance Act only allows corporations or Lloyd’s underwriters to carry out insurance business in Australia, which means APRA cannot consider applications from partnerships or unincorporated entities. APRA expects all applicants to be able to comply with all of its prudential requirements, as set out in the Insurance Act and prudential standards, from the commencement of insurance business in Australia and continuously thereafter. Requirements APRA will consider the following matters in the application: ownership governance including board composition and FAR Capital and Assets in Australia including minimum capital requirements Risk management framework Compliance Reinsurance management Informations security and accounting systems Intra-group transactions and arrangements General insurers authorisation – Section 12 A general insurer, including a foreign general insurer, is authorised under section 12 to carry on general insurance business in Australia. The obligation to comply with APRA Prudential Standards applies to general insurers authorised under section 12. Lloyds Underwriters – Section 93 Part VII, section 93 of the Insurance Act authorises Lloyd’s Underwriters to write Australian insurance business. Sections 65 to 73 of the Act provide for special Australian policyholder protection provisions associated with Lloyd’s. At all times, Lloyd’s must ensure that security trust fund arrangements, and ancillary or incidental arrangements, in accordance with Lloyd’s security trust fund instrument No. 2 of 2017 are in existence. Unauthorised foreign insurers Certain insurance business is an exemption under the Insurance Act (subsection 3A(1)) Insurance Regulation Section 8 provides that where insurance is […]
ASIC has remade a legislative instrument that exempts Australian financial services (AFS) licensees from appointing a general insurance product distributor as their authorised representative. The ASIC Corporations (Basic Deposit and General Insurance Product Distribution) Instrument 2025/520 will extend the relief previously provided by ASIC Corporations (Basic Deposit and General Insurance Product Distribution) Instrument 2015/682 until 27 August 2030. This promotes the wide availability of general insurance products to consumers by reducing the compliance costs to providers. Criteria required to comply with the instrument In order to rely on the instrument, and provide a financial service without the need to be licensed or appointed as an Authorised Representative of a Licensee, the following criteria must be met: the principal must hold an Australian financial services licence covering the provision of the service; the service is dealing in a general insurance product; the provider is a product distributor of the licensee (but this does not include employees of the licensee); and the distributor is not an authorised representative of the licensee. Additional requirements when the general insurance products are distributed to Retail clients The licensee must have taken reasonable steps to ensure that when the distributor provides the financial service to a retail client: the distributor draws the client’s attention to the availability of a dispute resolution system of the licensee that covers complaints by the client in relation to the financial service and how that system may be accessed; and if the distributor is dealing in a general insurance product or a bundled consumer credit insurance product, the client is given information in writing about: (a) who the distributor acts for when providing the financial service; and (b) any remuneration (including commission) or other benefits that the distributor, or an associate of the distributor, may receive in respect of, or that is attributable to, the provision of the financial service. The Distributor must not provide financial product advice The ASIC instrument only applies to ‘dealing’. Dealing in a financial product within the meaning of s766C(1) Corporations Act (also refer RG 36 Part C) means: applying for or acquiring a financial product; issuing a financial product; varying a financial product; or disposing of a financial product. Arranging for a person to engage in the conduct referred to above also constitutes dealing. Arranging refers to the process by which a person negotiates for, or brings into effect, a dealing in a financial product (e.g. an issue, variation, disposal, acquisition or application). The person who is arranging may be acting for a product issuer, seller or consumer. As the instrument is restricted to ‘dealing’ only, this means that the distributor is not permitted to provide financial product advice, this restriction includes both general or personal advice. If the distributor requires authorisation to provide financial product advice, and the licensee is prepared to authorise the distributor to provide financial product advice, then the distributor must be appointed as an authorised representative of the licensee (or alternatively the distributor obtains their own AFSL). Typical general insurance situations when […]
ASIC is suing financial advice business Fortnum Private Wealth Limited alleging it failed to properly manage and mitigate cybersecurity risks. (ASIC Media release 25-143MR) In proceedings filed in the NSW Supreme Court, ASIC alleges Fortnum did not meet its obligations as an Australian financial services licensee because it failed to have adequate policies, frameworks, systems and controls in place to deal with cybersecurity risks. As a result, ASIC claims Fortnum exposed the company, its authorised representatives (ARs) and clients of its ARs to an unacceptable level of risk of a cyber-attack or a cybersecurity incident. While Fortnum introduced a specific cybersecurity policy from April 2021, ASIC contends the policy was not an adequate response to manage cybersecurity risk. Before Fortnum revised its policy in May 2023, several of its ARs experienced cyber incidents. One of these was a cyber attack that ASIC alleges led to a major breach and saw the data of more than 9,000 clients published on the dark web. As part of the action, ASIC alleges Fortnum did not: require that its ARs undertake a prescribed minimum amount of cybersecurity education or training, adequately supervise or monitor the cybersecurity risk management framework of its ARs, have any employees with specialised expertise or experience in cybersecurity or engage a consultant with appropriate expertise to assist with the development of its cybersecurity policy, and have a risk management system which addressed cybersecurity or policies, frameworks, systems or controls which enabled the identification and evaluation of cybersecurity risks across its ARs. ASIC is seeking a declaration and pecuniary penalty against Fortnum. Cybersecurity risks It is alleged by ASIC that in the course of their business, Fortnum’s ARs electronically received, stored and accessed confidential and sensitive personal information and documents in relation to Retail Clients, including (among other things) copies of identification documents, tax file numbers, and financial information such as bank account and credit card details (Personal Information). It was necessary for the clients of Fortnum’s ARs to provide their Personal Information in order to receive Personal Advice. As a result of the nature and extent of the Personal Information collected and held in the course of providing financial services, Fortnum and each of its ARs were potential targets for cyber-related attacks and cybercrimes, the consequences of which could include serious harm and loss. It therefore was, and is, incumbent on Fortnum in discharging its duties and obligations as a licensee to identify and understand the cybersecurity risks that it and its ARs faced, and to have adequate policies, frameworks, systems and controls in place to appropriately manage and mitigate those risks Alleged breaches of the Corporations Act 1) financial services were not provided efficiently, honestly and fairly, and thereby contravened s 912A(1)(a) by [Fortnum’s] failure to: implement any adequate cybersecurity policy to manage and mitigate cybersecurity risks for it and its authorised representatives (ARs); provide any adequate education or training to its ARs on cybersecurity; and iimplement any, or any adequate, processes, systems or frameworks for the oversight and monitoring […]
ASIC’s recent review of reportable situations (4th December 2024) revealed a number of poor practices among licensees (the review covered 14 licensees across all financial sectors): Licensees were generally slow to report to ASIC. The key driver of these delays was that licensees took a long time to identify breaches in the first place and begin investigating. When ASIC reviewed why this was happening, ASIC found that there were deficiencies in licensees’ incident management, particularly how they identified, escalated and recorded incidents. Most licensees had gaps in how they monitored their own compliance with the regime. These poor practices had real impacts on consumers. The failures to promptly identify breaches meant that licensees were very slow to rectify breaches and remediate customers. Start with a focus on incidents GI Licensees should focus on raising awareness for staff and authorised representatives so that they can identify and raise incidents. This ensures all potential harm and areas of continuous improvement are identified in a timely manner and potentially before a breach of obligations (or Industry Code has arisen). ASIC advises to adopt a simple definition of an incident. This reduces the risk of the business acting as a filter or blockage. Once an incident is pushed down the incident pipeline an experienced person can review the incident and determine whether it is a breach, or likely breach, of an obligation. ‘An incident is an event that occurs where something has gone wrong.’ Operational risk incidents All incidents have the potential to cause harm or detriment. Adopt the APRA CPS 230 definition of operational risk: ‘Legal risk, regulatory risk, compliance risk, conduct risk, technology risk, data risk and change management risk. To this definition, add financial risk incidents (including insurance risk) and strategic risk incidents. Reportable situations Once an incident has been identified, raised and reported by the business and/or distributors & service suppliers the incident(s) need to be categorized and managed to ensure the proper treatment. Incidents need to be considered singularly and, as part of a group in case of an emerging trend or theme. Compliance incidents need to be considered in context of the reportable situations regime. In addition, they must be considered in context of all financial services laws, privacy laws and Code (where relevant) and the separate reporting regime that applies for APRA insurers, the privacy notifiable breaches scheme and the relevant industry Codes. The reportable situations regime arises under Section 912DAA Corporations Act (also refer RG 78). There are 3 types of reportable situations for general insurance: (a) breaches or ‘likely breaches’ of core obligations that are significant; (b) investigations into breaches or likely breaches of core obligations that are significant; (c) additional reportable situations. What does significant breach mean? There are two ways to determine whether a breach is significant: (a) Deemed significant breaches: In certain situations, a breach or likely breach of a core obligation is taken to be significant; Generally speaking a breach is deemed significant if it is a civil/criminal penalty breach however […]
AFS Licensed insurers, underwriting agencies, TPAs (insurance claim managers), general insurance brokers and claimant intermediaries must comply with the general obligations set out in Section 912A(1) Corporations Act. You must have measures for ensuring you comply with your obligations ASIC uses the expression ‘measures’ or ‘compliance measures’ to refer to your processes, procedures or arrangements for ensuring that, as far as reasonably practicable, you comply with your obligations as a licensee, including the general obligations (see RG 104.23-24). ASIC expects you too: (a) document your measures in some form; (b) fully implement them and monitor and report on their use; and (c) regularly review the effectiveness of your measures and ensure they are up to date Tip: For most licensees (other than APRA regulated insurers) a single, tailored (describing your business and your products/services & your obligations; & how these are managed), Risk & Compliance Manual is sufficient. The Manual should also include governance & breach management. Contact me for assistance. What are the general obligations? the financial services covered by the licence must be provided efficiently, honestly and fairly In INFO 253 ASIC provides insights into what this obligation means in context of claims handling & settling services. The principles can be provided to sales & underwriting. providing the financial services in a timely manner including meeting time frames and standards in the GI Code of Practice or Insurance Brokers Code of Practice providing the financial services in the least onerous and intrusive way possible providing the financial services fairly and transparently, and in a way that supports consumers, particularly ones who are experiencing vulnerability or financial hardship 2. have in place adequate arrangements for the management of conflicts of interest This means identifying conflicts of interests and managing them by: disclosure controlling (through key controls); and avoiding. All conflicts (& there management) should be included in a conflicts of interest register with training provided to employees and other representatives. 3. comply with the conditions on the licence The conditions on your AFS licence reinforce some of the general obligations, so breaching a licence condition will sometimes also be a breach of the general obligation that the condition relates to. You must have measures in place to manage your licence conditions including, for example, a key person requirement condition or for insurance brokers the use of restricted broker terms. 4. comply with the financial services laws Financial services laws is a wide concept and in addition to Corporations Act & ASIC Act includes any other Commonwealth, State or Territory legislation that covers conduct relating to the provision of financial services (whether or not it also covers other conduct), but only in so far as it covers conduct relating to the provision of financial services. Financial services laws therefore relevantly includes: Insurance Contracts Act, Insurance Act and other Acts applying to APRA regulated insurers and the Privacy Act. 5. take reasonable steps to ensure that its representatives comply with the financial services laws This obligation requires licensees to train and […]
The obligation One of the general obligations for AFS Licensees under Section 912A(1) Corporations Act is the ‘organisational competence obligation’. s912A(1)(e) ASIC assesses your compliance with this obligation by looking at the knowledge and skills of the people who manage your financial services business. ASIC refer to these people as your ‘responsible managers’. (refer RG 105) This is on ongoing obligation therefore it is important that your compliance measures, including how you comply with your obligations, are documented. How many responsible management should we nominate? At a minimum, you need to nominate responsible managers who: (a) are directly responsible for significant day-to-day decisions about the ongoing provision of your financial services; (b) together, have appropriate knowledge and skills for all of your financial services and products; and (c) individually, meet one of the five options for demonstrating appropriate knowledge and skills (refer Table 1 of RG 105). If you have a responsible manager with appropriate knowledge and skills for some, but not all, of your financial services or products, you need to ensure that your other responsible managers have appropriate knowledge and skills for the remaining services and products. The number of people you need to nominate as responsible managers will depend on the nature, scale and complexity of your business. However, ASIC expects that you will nominate at least two responsible managers. If you are heavily dependent on the competence of one or two responsible managers (e.g. in a small organisation with one or two principals), ASIC will generally impose a ‘key person’ condition on your AFS licence. Telling ASIC about your responsible managers You must demonstrate your organisational competence when you apply for an AFS licence. You may also need to demonstrate your organisational competence if you later apply to vary your licence authorisations. When you apply for an AFS licence, or to vary your licence authorisations, you must nominate your responsible managers in your application and answer questions about their role, training and experience, and which of the five options in they meet. You must also support your application with a ‘core proof’ demonstrating that your responsible managers: (a) individually meet one of the five options for demonstrating appropriate knowledge and skills; and (b) together have appropriate knowledge and skills to cover all of your financial services and products You must advise ASIC within 10 Business Days when you remove or add a responsible manager, refer the following link Changing your responsible managers If the responsible manager you are changing is named on your AFS licence as a key person, you must also apply to vary the key person condition on your licence. (Form FS03) If you need assistance with adding/removing responsible managers or varying your AFS Licence conditions, contact me. Obligations of a responsible manager The obligation for organisational competence applies to the licensee not the responsible manager with civil penalties applying for non-compliance however responsible managers may be subject to banning or disqualification orders for failing to fulifill their duties. The following cases are relevant […]