Close and continuous monitoring - the new ASIC approach of embedding its officers in banks

In brief

Written by Partner Paul Nicols and Senior Associate Laura Hablous

ASIC has recently announced a new supervisory approach that involves embedding ASIC officers in the four major banks and AMP. The initial media reporting on this approach suggested that it would involve embedding 'teams of up to 20 agents for weeks at a time to sit with bank staff, drop into meetings and trail the CEO, executives and directors to identify misconduct before it arises.'¹ That reporting was beginning to sound a little like science fiction, with parallels to the Tom Cruise film Minority Report, in which the Pre-Crime Unit caught criminals before they even committed a crime.

Although there are still some questions about what this new approach will look like in practice, there is now certainly more clarity about what the new approach is and, perhaps just as importantly, what it is not.

What is it?

The 'new supervisory approach' was initially reported as providing tough new powers to ASIC, but all that has in fact occurred to date is an increase in funding. ASIC will receive an additional $70.1 million in funding, $8 million of which has been allocated to the strategy of embedding dedicated staff in the big four banks and AMP.

ASIC Commissioner John Price provided further information about the approach, which he referred to as 'close and continuous monitoring', in a speech to the RMA Annual CRO Conference on 4 September 2018. He noted that 'the key goal was to modify the behaviour of the large institutions to further encourage them to place consumers first in their decision-making and quickly identify and respond to conduct that produces unfair outcomes'. The initial focus of close and continuous monitoring will be:

• breach reporting. ASIC intends to drive improvements to breach reporting by leveraging the work already undertaken in its soon-to-be released report on breach reporting.
• internal governance issues. This will focus on the issues raised in the CBA APRA prudential inquiry, and will be carried out in collaboration with APRA. We assume this will rely on the self-assessments that APRA has requested from other industry participants.
• a review of the differences between institutions in their appetite for change to culture and practices, governance, structure and organisation, reporting practices and gaps, products sold or distribution arrangements that affect the outcomes ASIC is seeking and the ability to get effective change.
• identifying key decision-makers and influencers within each institution to engage with directly (echoing the BEAR reforms).

Given that there has not been any change to ASIC's powers, we assume that ASIC will simply be using its existing powers, such as those under section 912E of the Corporations Act 2001 (Cth), in combination with a greater physical presence on site at the big four banks and AMP.

The international approach

Close and continuous monitoring is said to be modelled on similar processes in the UK, US and Hong Kong, with James Shipton noting that the average stay in Hong Kong was for six-to-eight weeks. Without further information about how the new approach will work in practice, it is difficult to comment further on which aspects of the international regulatory toolkit this new supervisory approach is modelled on. However, reassuringly, the Hong Kong, UK and US approaches are more limited than what some of the initial reporting on ASIC's proposal indicated might be the case in Australia. We note that, for a long time, both the UK and Hong Kong regulators have had a practice of conducting periodic on-site inspections which typically take one of several forms:

• periodic engagement meetings 1:1 with key members of senior management;
• deep dives on particular business areas or functions of a firm, eg, to evaluate business model, strategy or risk-management arrangements;
• inclusion of a firm within an industry-wide thematic review on a particular topic of interest; and
• periodic re-evaluation of the risks a firm poses to the regulator's objectives, coupled with a risk-mitigation plan and individual capital guidance regarding capital buffers the firm should hold in light of the results of the evaluation.

In Hong Kong, the SFC and HKMA have specific powers to do supervisory on-sites under the Securities and Futures Ordinance (s.180) and Banking Ordinance (s.55). In the UK, the FCA relies on its broader statutory information-gathering powers.

What are the implications?

There will definitely be a need to wait and see exactly how close and continuous monitoring is implemented in practice before it is possible to fully assess the consequences. However, at the outset, we have identified the following points to consider:

• clear boundaries will need to be established in relation to confidential and privileged information, in particular where ASIC officers seek to attend meetings where this information will be discussed.
• firms should seek to gain a specific understanding of how any information obtained while ASIC are onsite will be used. This will be of particular relevance where ASIC is observing parts only of a process and does not have the complete context of how an issue progresses and is managed.
• given the initial focus on breach reporting, it will be important to understand the implications of any request by ASIC to witness these discussions in real time. If ASIC officers attend meetings in which potential breaches are discussed, they will likely receive information about incidents that turn out after analysis not to be braches or about breaches which may not ultimately be determined to be significant and which would therefore not ordinarily be reportable under s912D of the Corporations Act 2001 (Cth).

Some of the above issues raise fundamental questions about the scope of ASIC's powers in this context.

A broader roll out – superannuation firms and other financial services industry participants?

The close and continuous monitoring process appears to be part of a general trend of ASIC taking a more proactive approach. John Price indicated in his 4 September speech that there would also be a more intensive engagement with superannuation firms, including more frequent on-site visits. ASIC has also suggested that, if close and continuous monitoring proves successful, it may look to roll it out more broadly.