MIU - Issue 163 - November 2024
We have announced our enforcement priorities for 2025
ob体育 has announced its enforcement priorities for 2025, capturing the key areas it will direct its resources and expertise in the coming year.
ob体育 Deputy Chair Sarah Court said, 鈥極ur 2025 enforcement priorities reflect the increased risks consumers are facing that are being driven by cost-of-living pressures. These priorities are about protecting Australians from financial harm and targeting the people who try to take advantage of them.鈥櫬�
Enforcement priorities targeting greenwashing, superannuation member services and insurance failures, small business and used car misconduct have been retained.
New priorities will target insider trading matters, inadequate cyber-security protections, unscrupulous property investment schemes, business models designed to avoid consumer credit protections and misconduct involving auditors and debt management and collection.
ob体育 has established a new specialist team to expedite criminal insider trading cases from investigation to prosecution. Insider trading remains an ob体育 enduring enforcement priority, however ob体育 has decided to increase its focus on this area, following on from the release of Report 787 Review of Australian equity market cleanliness (REP 787).
Cyber risk continues to escalate and Australian financial services (AFS) licensees must remain vigilant to guard against this risk. Boards and directors must implement and improve cyber risk management and cyber resilience processes to ensure that cyber incidents are avoided, detected and managed appropriately. For AFS licensees, this includes cyber risk management and resilience. Failure to do so risks enforcement action for breach of licensee obligations and directors鈥� duties.
- Read the media release.
Basic communication principles in the event of a cyber incident
Recent cyber incidents impacting financial services firms have highlighted disparities in disclosure approaches by some regulated entities. This information covers some good practice communication principles in the event of a cyber incident that may help entities minimise any potential harm.
While the below principles are consistent with guidance from the (ACSC) (OAIC), entities are encouraged to develop communications plans that suit their needs and those of their stakeholders.
Providing timely and accurate communication
It is good practice for entities to keep stakeholders informed about a cyber incident so they can prepare for any potential impact. This includes affected individuals and organisations, regulators, authorities (e.g. the ACSC), financial markets, consumers, and other relevant stakeholders.
Providing accurate and specific information
Individual incident and entity circumstances will influence the content and channel of communications. Cyber response practitioners typically support the accurate and specific provision of known facts when making public statements about a cyber incident.
General good practice is for entities to not downplay the seriousness of a cyber incident (for example, by characterising it as an IT issue) or overestimate the extent to which it is understood.
When issuing communications about a cyber incident, it is similarly good practice for entities to cover the following, where possible:
- whether the cyber incident is (potentially) malicious
- whether the cyber incident is ongoing, such as a ransom threat
- whether there is a risk that current or former customer data has been accessed or compromised, and if individuals should be cautious
- whether critical issues are under investigation.
Communicating directly with impacted individuals and organisations
Any communications may need to be tailored for effective use by stakeholders, depending on the nature of the cyber incident and the potential impact of the compromised data. This tailoring may include the manner of their provision (e.g. whether by email in the first instance and then by post and phone, where applicable) and information on potential mitigation actions by stakeholders.聽
Creating a prominent alert on your corporate homepage or customer-facing portal about the nature of the cyber incident
Any alert may direct users to a landing page containing more detailed information about the cyber incident and relevant details about support services that are available (e.g. call centre and identity support service information).
Regular updates of the content on their homepage and/or portal as important information becomes known can support effective harm-minimisation actions by customers and other stakeholders.
Provide a set of frequently asked questions (FAQs)
Entities may consider publishing a set of FAQs to help affected individuals and stakeholders.
Notify other agencies
Depending on the circumstances, an entity must consider whether other relevant regulatory agencies, government departments, or industry bodies must be notified about the cyber incident. If you are unsure about who to report the incident to, see .
For more information, visit the .
What happened at our first Digital Assets Liaison Meeting
ob体育鈥檚 inaugural Digital Assets Liaison Meeting (DALM) took place on 11 September 2024. More than 190 industry representatives attended online and in person at ob体育 offices.
The DALM has been established as a regular event to provide the digital assets industry with insights into ob体育鈥檚 strategic priorities and key projects, and give opportunity for Q&A. The inaugural DALM covered:
- Opening remarks from聽ob体育 Executive Director Markets, Calissa Aldridge
- Digital asset focus areas from ob体育 Senior Executive Leader Digital Assets, Rhys Bollen
- An update from Treasury on the digital asset platform law reform proposals from聽Treasury聽Director of Digital Assets Policy Unit, Chris Adamek
- Information on ob体育鈥檚 Innovation Hub from ob体育 Senior Adviser Strategic Planning and Intel, Jonathan Hatch.
We are planning to hold the next DALM before the end of this year. If you would like to be added to the invitation list or suggest topics you would like to hear about at future meetings, please email [email protected].
Recent ob体育 enforcement actions
Our enforcement priorities send a clear compliance and deterrence message to the entities we regulate. Over October and November, our enforcement actions include:
Full Federal Court dismisses ANZ appeal against ob体育 case
On 2 October 2024, the Full Federal Court dismissed an appeal by Australia and New Zealand Banking Group Limited (ANZ) against a judgment that it breached continuous disclosure laws when undertaking a $2.5 billion institutional share placement in 2015.
In dismissing ANZ鈥檚 appeal, the Court upheld the original decision in a case brought by ob体育, which imposed a penalty of $900,000 on ANZ for contravening continuous disclosure laws.
The Court found that by failing to notify the Australian Securities Exchange (ASX) that between approximately $754 million and $791 million of the shares offered in the placement was to be acquired by its underwriters rather than placed with investors, ANZ had contravened its continuous disclosure obligations.
ob体育 Chair Joe Longo said, 鈥榦b体育 will always defend the integrity of Australia鈥檚 markets.鈥�
鈥楾his is an important case that confirms how critical continuous disclosure is to maintain market integrity.鈥�
ANZ was also ordered to pay ob体育鈥檚 costs.
- Read the media release.
ob体育 cancels AFS licence of Prospero Markets
ob体育 has cancelled the Australian financial services (AFS) licence of over-the-counter (OTC) derivatives issuer, Prospero Markets Pty Ltd (in liquidation) (Prospero) effective from 25 September 2024.
Following an application by ob体育, on 11 April 2024 the Federal Court ordered that Prospero be wound up on just and equitable grounds and that liquidators be appointed.聽 Under the Corporations Act, ob体育 may suspend or cancel an AFS licence if the licensee is being wound up or if the licensee has ceased to carry on a financial services business.
Earlier in December 2023, ob体育 had suspended Prospero's AFS licence after it failed to lodge its 2023 audited financial accounts.
ob体育 has specified that until 25 March 2026, Prospero Markets must continue to be a member of the Australian Financial Complaints Authority (AFCA), continue to have arrangements for compensating retail clients including the holding of professional indemnity insurance cover, and must comply with the ob体育 Client Money Reporting Rules 2017.
Prospero may apply to the Administrative Appeals Tribunal for a review of ob体育鈥檚 decision to cancel its AFS licence.
- Read the media release.