ob体育

A speech by Cathie Armour,听Commissioner, Australian Securities and Investments Commission at the听Australian British Fintech Cyber Catalyst, (London, England), 3 July 2018

Introduction

Good morning everyone.

It鈥檚 fantastic to be here in London to hear a range of perspectives on our digital future. I appreciate the opportunity to share ob体育鈥檚 approach to innovation with you.

Why is ob体育 - which for those of you who are not familiar with us, is Australia鈥檚 integrated corporate, financial markets and services regulator- keen to participate in a Fintech Cyber Catalyst?

Well, our job is all about ensuring a fair, strong and innovative financial system for all Australians. We are vitally interested in the digital opportunities available for Australian financial investors and consumers; in the technology that powers our markets and in promoting a capital market environment and a regulatory framework that allows business to prosper.

So all in all, a Fintech Cyber Catalyst is exactly the place we want to be, and it is very much a place we need to be.

Critically, this week we are exploring opportunities between Australia and the UK as part of what is already a very close and supportive relationship in financial services sectors.

Today, I will examine innovation from a regulator鈥榮 perspective focussing on:

• First, some of the opportunities I see for Australia and the UK that support innovation in financial services and markets;
• Secondly, ob体育鈥檚 approach to innovation;
• Thirdly, what ob体育 is doing in the regtech space; and
• Finally, I will explain our approach to cyber security 鈥� a topic that is, and has been for a number of years now, high on our priority list.

Opportunities for Australia and the UK

This catalyst will identify numerous opportunities between Australia and the UK that will support innovation in financial services and markets.

Our Governments have committed to deepen the existing relationship by leveraging and recognising aspects of each other鈥檚 frameworks and supervisory approaches - this will no doubt create efficiencies for all.

There are opportunities for innovators to exploit the close regulatory relationship between the Australia and UK regulatory regimes. These benefits exist today without the need for a skerrick of additional work - I think industry could be making better use of these benefits.

For instance, licensing authorisations for financial service providers and wholesale markets are easier for firms from our countries. As an example, a professional market operator can operate across our respective borders with compliance expectations and supervision largely set and undertaken in one country and relied upon by the other. In other words, a form of mutual recognition or home/host approach.

Between the FCA and ob体育 to date, there already exist practical forms of recognition frameworks. More than a dozen UK wholesale platforms currently offer their services in Australia based ob体育鈥檚 deference to the FCA鈥檚 primary regulatory oversight.

Our key market infrastructures -our clearing houses - have also been granted rights to operate in each other鈥檚 countries based on this equivalence approach.

I see great advantages to learning from each other鈥檚 approaches to the design and implementation of frameworks, particularly in relation to setting common standards, and maximising use of and cross-referencing each other鈥檚 standards. Both ob体育 and the FCA were closely involved with the development by the Central Banks and Industry of the FX Global Code.

The UK is living and breathing its new open banking regime 鈥� given, Australia is looking to start introducing its regime from July next year, we see great value in learning from your experience is the UK as the regime matures.

There is plenty in common between the Australia and UK regulatory environments for financial services, the key regulators know each other well and are used to collaborating - my question for this audience is are you making the most of this environment?

I anticipate many of you want to hear about how regulators and governments might look to standardise regulation in order to better facilitate fintech between our countries. This question is a good one because there are regulatory differences between our two countries and undoubtedly life would be easier for fintechs to operate across countries if there were no differences.

But I think an emphasis on this issue of standardisation runs the risk of distracting focus from the real and achievable benefits of using our current effective cross-border regulatory model.

Think about this 鈥� we have not been able to agree on legal standards for distance 鈥� you have miles and we have kilometres so what are the chances that we can expect agreement on standards for other detailed areas of regulation like financial services. In any event is there really much utility of just two countries agreeing legislation; what about our other trading partners?

Simply put, Australian and UK governments and regulators can and do work very effectively in an equivalence or mutual recognition world - that is a world where firms in the financial sectors operate on the basis I have already described - they obtain licensing or permission to operate in one place based on the regulatory oversight and rules of the other jurisdiction.

What are some practical examples of this? Well here is an example after my own heart - UK firms report transactions on trading venues under the MIFID II and accompanying regulations. If those same firms were operating in Australia they would be required to retain records under our much more generic 'business records' requirement but would not have the same detailed reporting obligations. If a firm that provided regtech support to firms who needed to meet the MIFID II requirements were to approach us at ob体育 about clarifying our record keeping requirements, we would be open to considering issuing guidance that meeting MIFID II reporting requirements for some types of Australian business, would also satisfy our requirements. Effectively creating a standardised process without the need for mutual law reform.

Not dissimilarly, Australia does not yet have an equivalent to the EU General Data Protection Regulation 鈥� as you know and we have discussed earlier today, we are in the process of developing and will legislate a Consumer Data Right.

But in any event if you are building technology solutions for firms that comply with the GDPR obligations, why would you think that this technology might not be suitable in the Australian markets - some aspects of the technology solution might need to be developed with the capacity to turn off certain elements in places where there is not an equivalent legal obligation - but building to the highest standard of data protection for consumers is unlikely to translate to a significant regulatory issue in our country 鈥� and may be relatively easily adjusted to accommodate any critical differences when the Consumer Data Right is finalised.

So, rather than try to wrangle disparate political processes in different countries for a uniformity that has not before been achieved in history and which tends to implicitly suggest adopting the lowest common denominator- my counsel to the fintech industry is to focus on developing solutions for the best investor and customer outcomes, the higher standard of the relevant jurisdiction, to allow the flexibility to 'turn off' some features and to work with the regulators to look for guidance and support of the higher standard being applied by businesses in their country.

ob体育鈥檚 approach to financial innovation

Moving more broadly to ob体育's approach to innovation. ob体育 supports technological change that may improve outcomes across the financial system.

Evolving technology is nothing new to regulators 鈥� markets have existed in one form or another over mankind鈥檚 history. We are all familiar with the technological leaps and bounds that have led to today鈥榮 dynamic markets where equities or foreign exchange transactions occur in nano seconds. This is a far cry from the days of men haggling in the courtyard of the world鈥檚 first modern stock exchange the Amsterdam bourse at the start of the 1600鈥檚.

We like to think that our regulatory regime is sufficiently principles based that it operates in a technology neutral way. But we do know that this is not always so; pragmatism means that we frequently amend our regime to facilitate new technologies. For example, we have facilitated electronic securities offering documents.

We also adapt the way we regulate to reflect the technological needs of the day. For instance ob体育鈥檚 Innovation Hub helps ob体育 to engage with new Fintech and reg tech start ups.

The Innovation Hub has five components:

• engaging with fintech and regulatory technology start ups, as well as the physical hubs and co-working spaces for start-ups;
• informal assistance for eligible fintech and regtech start ups 鈥� our goal is to help new businesses consider key regulatory early on in their development;
• tailored guidance for innovative businesses to access information and services relevant to them via our website;
• a senior internal taskforce to assist in analysis of new business models 鈥� the taskforce draws together knowledge and skills from across ob体育, and is complemented by internal working groups on digital financial advice, marketplace lending, equity crowdfunding, blockchain and crypto-assets;
• a Digital Finance Advisory Committee (DFAC), which provides ob体育 with advice in this area. The committee includes members from the fintech community, academia and consumer advocates as well as other financial regulators.

ob体育鈥檚 regulatory sandbox framework

ob体育 has a regulatory sandbox framework -a 鈥榣ighter touch鈥� regulatory environment - this sandbox is available to Australian and overseas fintech start-ups.

Our sandbox is based around a world-first class waiver (an exemption) that allows eligible fintech businesses to test certain services for up to 12 months without an Australian financial services or credit licence.

At the same time, retail clients who access services of firms using the sandbox still have fundamental protections under the law, such as dispute resolution and professional indemnity insurance.

This is a 鈥榳hitelist鈥� approach - there is no ob体育 review of each proposed test. In contrast, sandbox proposals in other countries and we heard today about the FCA鈥檚 sandbox, involve regulators selecting applicants and negotiating individual testing terms.

Six firms have made use of this fintech licensing exemption and many others have approached ob体育 about its application and learnt there may be alternative ways to test their business model where they are not eligible to rely on this exemption made by ob体育.

The Australian Government is looking to build on the scope and design of the ob体育 Sandbox in a number of key areas. For example, the Government proposes that the licensing exemption set by ob体育 be replaced with a similar conditional exemption but for a wider range of services, eligible providers and for a longer duration. A Bill to enable for the Government鈥檚 enhanced sandbox was debated only last week.

Global dimension to ob体育鈥檚 work on innovation

ob体育 believes it must be open, engaged and globally connected in order to contribute to an innovative financial sector. So we meet with our international regulatory counterparts to discuss developments and policy proposals as often as possible.

We engage with global standard setters through, for example, the various taskforces and committees at IOSCO and other regulatory groups to contribute to the global discourse on fintech and regtech and to champion what is being done in Australia.

We have also recently joined a working group of regulators led by the FCA working to jointly consult on the feasibility of a Global Sandbox .

At a practical level, we have the mechanisms in place to make referrals of fintech providers under Co-operation Agreements with international agencies and are more than happy to do some heavy lifting where we can.

ob体育 entered a world-first fintech Cooperation Agreement with the FCA in the UK back in 2016, that allowed us to refer fintech to each other to receive informal assistance.

In March this year, the FCA and ob体育 entered an enhanced Cooperation Agreement, deepening our level of commitment to work to together on work relating to fintech and regtech.

This enhanced agreement, is part of the UK-Australia Government-to-Government Fintech Bridge that we have heard so much about today.

Under the regulator-to-regulators component of this agreement, ob体育 and the FCA will be doing a number of things which we have already heard about today including:

• exploring opportunities to enable quicker licensing of innovative fintech businesses that are already authorised in the other jurisdiction. The FCA and ob体育 will hold discussions in the next month;
• looking at ways to facilitate entry into each other鈥檚 sandbox environments;
• making a commitment to reach shared approaches, understandings and positions on emerging issues relating to fintech and regtech. Only last week, ob体育 had 4 data scientists meet with FCA colleagues on approaches on data analytics and use of supervisory technology; and
• considering other shared opportunities, such as joint events, trials, research projects and secondments.

ob体育鈥檚 role and approach to regtech

Turning now to the sibling of fintech, I鈥檒l explain some of ob体育鈥檚 work in relation to regtech and what we view our role to be.

A capacity to monitor automated activities is already a core element of risk and compliance frameworks for some parts of the Australian financial system, such as the monitoring of financial markets activity.

We strongly believe that reg tech should be top-of-mind for regulators and across all of the financial services industry.

The regtech sector has enormous potential to help organisations build a culture of compliance, identify learning opportunities and save time and money relating to regulatory matters while improving compliance and most importantly outcomes for consumers.

It also has potential to support ob体育 and our regulatory peers in the way we undertake our own work, including engaging with industry.

This is critical for us to do our job successfully. We must monitor market integrity and so we need the tools to analyse the millions of transactions daily on our markets. This year we need to analyse approx. 75-150 million messages per day, for over 1.5 million equity trades, 45k futures trades. For our enormous (in monetary terms) OTC markets, 2-3 million end of day positions.

As an example, in a recent investigation that looked at market misconduct of four large financial institutions ob体育 reviewed over 75 million documents (35 terra bytes of data) and over 42 million voice recordings (2.7 million hours of listening pleasure being 256 terra bytes of data). So you can see why we are keen exponents of the virtues of regtech!

This time last year we publicly consulted on what ob体育鈥檚 role should be on reg tech. Generally the response supported ob体育 being ambitious in the regtech 鈥� which was good, because that is what we want to do!

Our approach to regtech is guided by some basic principles:

• To work towards regtech outcomes that align our strategic objectives;
• To undertake a focused number of initiatives that have near term deliverables; and
• To have regard for industry input, good international case studies and our own learnings in forming our plans.

Our Innovation Hub hosted Regtech Roundtable and Showcase events last year. We have had over 60 meetings with regtech stakeholders and service providers.

ob体育鈥檚 Regtech Liaison Forum

Late last year we established ob体育鈥檚 RegTech Liasion Forum. The forum meets every three months and meetings are open to all interested parties.

The Forum's goal is to facilitate networking and stimulate discussion on regtech developments and identify opportunities for future collaboration. We are hoping that it provides a platform to help identify practical areas of focus for industry and regulators.

ob体育鈥檚 NLP Trials

I鈥檇 like talk briefly on ob体育鈥檚 Natural Language Processing trials.

In February we released a set of problem statements with use cases to understand and encourage the application of Natural Language Processing in resolving regulatory problems.

The trials are to explore potential efficiencies in supervision, including through automation and prediction, and present a genuine learning opportunity for ob体育.

A tender was issued for the provision of pilots and we have executed contracts to execute these trials over the next 3 to 4 months in:

1. The identification of promotions of concern for financial and credit services;
2. Managed fund PDSs review;
3. Financial advice file review;
4. Financial reporting review of company announcements; and
5. Prospectus review

We will keep industry, our fellow regulators such as the FCA, updated on how these trials progress and share any insights we can on our learnings.

Cyber security 鈥� a common challenge

This Catalyst focuses on meaningful collaboration and part of that is sharing information on our approaches to common challenges like cyber security.

ob体育 has long recognised and identified that cyber resilience of the regulated firms in our financial markets is a critical long-term challenge.

Only last week, our financial press reported on the number of times our big banks in Australia come under cyber attack in a 24-hour period.

ob体育鈥檚 has focused on raising awareness, assessing and reviewing the cyber resilience of our regulated firms, and sharing good practices and standards in our efforts to raise the standards of cyber resilience.

When I refer to firms here, these include authorised market operators and participants including stockbrokers and investments banks.

Underpinning this practical activity is an approach to cyber security supervision founded on three principles:

• First cyber resilience practices must be embedded into whole of business enterprise risk management framework - this is a licensing obligation;
• Secondly, we will work in collaboration with both industry and other regulators (both foreign and domestic) on an ongoing basis to learn from them as well as share our own insights and learning's, and share intelligence on cyber risks and mechanisms to mitigate new and emerging threats;
• Finally, recognising the cyber landscape is rapidly changing, ob体育 follows an evolutionary approach that reviews and raises the bar on a periodic basis. This includes adapting our surveillance processes in response to key events, such as the emergence of new regulation or new types of cyber threats not previously accounted for.

A lot of this is set out in our report published late last year which includes a number of observations from our work with 100+ entities across the Australian financial market. We can share this with you if you are interested (Report 555 Cyber Resilience of firms in Australia鈥檚 financial market).

Getting into some of the detail of our work in this area, over the past three years ob体育 has performed cyber security surveillance and assessments of our regulated firms across the financial markets sector.

To date these assessments have been conducted across market operators, post-trade infrastructure providers, credit rating agencies, investment banks and stockbrokers.

The assessments were conducted using standards-based surveillance tools and self-assessments adapted from the United States NIST Framework, as well as follow up interviews with firms and the collection of additional supporting documentation for review.

This work has resulted in the publication of several reports to date, which can all be accessed on the ob体育 website:

• We continue to review, assess and refine our approach based on our findings to ensure that we are driving continuous improvements and therefore uplift in the levels of resilience across the financial sector. [1]
• We also continue to re-enforce the message that Boards need to have a thorough understanding of their risks, and how to mitigate against, and recover from cyber incidents 鈥� this is now fundamental to business risk management and potential survival. It is imperative that Boards treat cyber security with the same level of importance as they would manage 鈥榯raditional鈥� risk, such as financial, competitor or reputational risks.
• We are actively looking at market misconduct that is facilitated by poor cyber security. Last month charges were brought against an IT consultant for 115 offences of unauthorised access to data in a computer, insider trading and destroying or concealing books required by us.

We are very interested in hearing about other strategies and approaches as well 鈥� be they based on real-time surveillance using people, automated robots or newer concepts like gamification.

On that note, I鈥檒l wrap things up.

Thank you very much for the opportunity to run through some aspects of ob体育鈥檚 approach to innovation 鈥� I鈥檒l be back for a panel discussion a little later on.