ASIC and APRA announce strategic priorities

2023 – 2024 Corporate Plans 15 min read

Each year, ASIC and APRA release their Corporate Plans, which identify the regulators' strategic priorities and projects. They provide an insight into where ASIC and APRA will direct their resources and enforcement activity for the year ahead and, in ASIC's case, for the four years ahead.

On Monday, ASIC released its Corporate Plan for 2023 to 2027 (with a focus on 2023 to 2024). This was closely followed on Tuesday by APRA's release of its Corporate Plan for 2023 to 2024.

In this Insight, we:

• consider the key trends, similarities and differences we have observed across the plans; and
• on this basis, make some observations on what we expect to see on the regulators' supervision and enforcement agendas over the next year or so.

ASIC's and APRA's strategic priorities

ASIC's Corporate Plan identifies four key strategic priorities, which have all been retained from last year's Corporate Plan:

• product design and distribution;
• sustainable finance (which ASIC uses to refer to ESG products/services across the financial services market);
• retirement outcomes (previously described as 'retirement decision making'); and
• technology risks.

ASIC's strategic priorities are implemented through its core strategic projects. Those projects were identified in last year's Corporate Plan as scams, sustainable finance, crypto-assets, design and distribution obligations (DDO), cyber and operational resilience and digital technology and data.

APRA states it is seeking to deliver three key outcomes:

• protecting the safety and resilience of regulated entities;
• promoting confidence and stability in the financial system; and
• supporting the community to achieve good financial outcomes.

The strategic priorities identified by ASIC and APRA are shaped by key trends in the regulatory environment. Consistent with last year's Corporate Plan, ASIC identifies those key themes as climate risk, Australia's ageing population, emerging digital technologies and volatility in the crypto-assets market. These are largely consistent with the four key challenges APRA identifies as informing its priorities, being climate related financial risk, superannuation transparency and retirement outcomes, system-wide risks and operational resilience (including cyber).

This year, both ASIC and APRA also highlight the difficult economic climate in their plans. For ASIC, this gives rise to a focus on the challenges faced by vulnerable consumers and small businesses, which it indicates will inform its enforcement approach.

APRA, on the other hand, is focused on the need for operational resilience, particularly across the banking sector, in light of the swift collapse of Silicon Valley Bank and the takeover of Credit Suisse a week later in March 2022, followed by threats to the stability of the financial system from rising interests rates, higher inflation and ongoing geopolitical uncertainty.

ASIC's and APRA's enforcement approaches

As always, the ASIC Corporate Plan indicates its enforcement approach will use its 'full suite of…regulatory tools' to prevent and respond to misconduct and remain an active litigator. In this year's Corporate Plan, ASIC has specifically called out its commitment to pursuing high penalties through the courts so that the cost of breaking the law has a material impact on companies.

ASIC's enforcement priorities were separately announced in November last year. Enforcement priorities for 2023 that are of particular relevance to this year's Corporate Plan include:

• poor design, pricing and distribution of financial products;
• misleading conduct in relation to sustainable finance including greenwashing;
• misconduct involving high-risk products including crypto assets;
• combating and disrupting investment scams;
• protecting financially vulnerable consumers;
• misleading and deceptive conduct relating to investment products; and
• unfair contract terms.

ASIC's updated enforcement priorities for 2024 will be published later this year.

APRA's Corporate Plan states that APRA adopts a 'constructively tough' and transparent approach to using formal enforcement tools when a regulated entity does not comply with prudential standards and expectations. APRA's enforcement priorities for 2023 also reflect the focuses of its Corporate Plan, in that they include heightened supervision on cyber resilience through detailed assessments and rigorous pursuit of breaches and continuing to hold trustees to account to improve superannuation member outcomes. It continues to be the case that APRA rarely takes court-based enforcement action.

View our regulatory enforment services.

ASIC: product design and distribution

Unsurprisingly, driving compliance with the DDO remains a key strategic priority for ASIC. This reflects the findings of ASIC's recent reviews, including Report 754 and Report 762, which highlighted areas for improved compliance with DDO by Australian credit licensees offering small credit contracts and investment product issuers respectively.

While DDO was identified as a strategic priority in last year's Corporate Plan, there have been some subtle developments. In particular:

• ASIC has now indicated that it will increase its surveillance over compliance with the 'reasonable steps' obligation; and
• ASIC has indicated it will be shifting the focus of its surveillance from choice superannuation products to credit and insurance products.

ASIC pursued an active enforcement agenda in respect of DDO during 2023, issuing a number of stop orders and commencing civil penalty proceedings against online investment platform, eToro. During 2023-2024, we expect to see ASIC remain active in this space, with a particular focus on insurance and credit providers.

ASIC and APRA: sustainable finance and climate related financial risks

Sustainable finance

ASIC's actions in this area will include supporting the Government's sustainable finance strategy, including its proposal to introduce a mandatory climate-related financial disclosure regime for large business and financial institutions in Australia, to be aligned (as far as practicable) with the voluntary global framework issued by the ISSB. In doing so, ASIC will engage with international peers to ensure Australia's approach reflects global best practice.

ASIC's planned actions for the coming year reflect largely those covered in last year's Corporate Plan, with some notable differences, being that ASIC will:

• undertake targeted surveillance and oversight of sustainability-related disclosure and governance practices across regulated entities; and
• extend the focus of its continued enforcement action against misconduct to poor governance, in addition to misleading marketing and other greenwashing practices (misleading or deceptive representations about sustainability, environmental or climate change credentials), which were covered in last year's Corporate Plan.

Sustainable finance is another area where we have seen a marked uptick in ASIC enforcement activity, beginning in late 2022 and continuing throughout 2023, particularly regarding greenwashing. On 10 May 2023, ASIC released Report 763, outlining its greenwashing interventions during this period, including 23 corrective disclosure outcomes, 11 infringement notices, and its first civil penalty proceedings regarding alleged greenwashing. Since then, ASIC has commenced two further enforcement proceedings alleging greenwashing.

Looking ahead, we expect to see enforcement action continue in this space, with an increased focus on bluewashing (misleading or deceptive representations about social issues), in addition to greenwashing. As discussed in our previous Insight articles, this is a trend which is already beginning to emerge in ASIC enforcement actions.

Climate related financial risks

In its Corporate Plan, APRA also states that it will be supporting the Government's sustainable finance agenda and will contribute to emerging issues such as nature-related financial risk. Otherwise, APRA's focus is on addressing climate change-related financial risk, especially in the insurance industry. A key consideration behind the regulator's latest Corporate Plan is the reduction of access to affordable insurance, including due to the increased frequency and severity of natural disasters. To address this issue, APRA states that over the course of 2023 to 2024 it will:

• conduct a Climate Vulnerability Assessment to assess the impact of climate change risk on access and affordability of general insurance;
• embed climate change risk in its Supervision Risk and Intensity (SRI) model to require ongoing supervisory assessment of this issue; and
• use existing and new data collections for climate change risk to prepare and develop insights on emerging issues and best practices.

View our ESG services.

ASIC and APRA: technology risks and strengthening cyber resilience

Technology risks have again been identified as a strategic priority for both ASIC and APRA, with subtle shifts in emphasis. For example (and in line with recent global trends), the operational impacts of the misuse of algorithms and artificial intelligence (AI) have been afforded more prominence—with ASIC flagging that it will develop new supervisory approaches for emerging operational risks, such as artificial intelligence and quantum computing. APRA also notes in its plan that the growing use of AI is amplifying risks for financial services. This follows statements made by APRA Member Therese Hockley last week that generative AI presents a seismic change for operational risk management and that it will be suggesting that industry 'tread carefully', conduct due diligence, put appropriate monitoring in place, test the board's risk appetite and ensure there is adequate board oversight.

ASIC similarly expects that organisations will ensure that their internal governance structures and control environment keep pace with innovation (adopted by industry and threat actors alike) and that consumer data is not misused. This echoes recent commentary from ASIC that appropriate controls should form part of the design phase for any new technology. ASIC's Corporate Plan also notes that evolving technology is playing a role in the increasing sophistication of digitally enabled misconduct, including scams (APRA also flags that complex scams are necessitating more investment in technology to prevent losses associated with them). Otherwise, the narrative as it applies to cyber and operational resilience, and crypto assets is very similar to last year's ASIC Corporate Plan.

ASIC's and APRA's own digital transformation also appears to be front of mind. ASIC's Corporate Plan emphasises its continued focus on developing its own capabilities to become a digitally enabled and data-informed regulator, so that it can more quickly and accurately identify harms in its environment and support improved decision making. Similarly, a core focus for APRA in its Corporate Plan is transforming its technology and use of data. In this respect, APRA confirms its commitment to 'being a data-driven prudential to support sharper risk-based supervision and provide greater transparency to stakeholders about the safety and resilience of regulated entities.'

Supervisory and enforcement approach

Although ASIC's supervisory and enforcement priorities will be released later this year, its Corporate Plan indicates that its approach to supervision and enforcement is also unlikely to depart materially from previous plans. That is, when it comes to technology risks, ASIC will proactively engage with stakeholders, continue to monitor market resilience, partner with other financial regulators and take enforcement action where there are egregious failures to mitigate relevant risks (especially in relation to cyber risks and governance failures relating to cyber resilience).

For its part, APRA's corporate plan indicates that it will act on breaches of Prudential Standard CPS 234 on Information Security (CPS 234) and ensure regulated entities are taking action to address issues identified in CPS 234 independent assessments. Again, this reinforces APRA Member Therese Hockley's announcement last week that APRA will take strong action to enforce compliance with information security requirements and where an entity is found to be significantly wanting, it will look to impose additional capital requirements of the kind imposed on Medibank.

Upcoming activities

ASIC has flagged that it will take the following key actions in relation to the following core strategic projects:

Scams

• engage an external service provider to identify and take down scams
• work with the National Anti-Scam Centre (co-led by ASIC and the ACCC) to deter and disrupt scams
• identify ways that ASIC's regulated population can strengthen anti-scam practices, including by leveraging insights from REP 761 Scam prevention, detection and response by the four major banks published in April this year, in which ASIC suggested that banks play a critical role in helping to minimise the impact of scams on the Australian community

Crypto-assets

• support the development of an effective regulatory framework on licensing of digital currency exchanges and custody requirements for crypto-assets. This follows consultation with Treasury during the course of 2022. Watch this space for further developments which might encourage larger financial institutions to enter the crypto-market.

Cyber and operational resilience

• develop supervisory approaches for emerging operational risks, including artificial intelligence and quantum computing
• conduct targeted surveillance to monitor cyber and operational resilience (noting that ASIC has previously said that measures taken to address cyber resilience should be proportionate to the nature, scale and complexity of the organisation)
• monitor market resilience and the implementation of new technology and operational resilience market integrity rules which took effect on 10 March 2023
• engage with regulated entities to promote and support cyber resilience initiatives including by leveraging insights from its voluntary Cyber Pulse survey.

In its Corporate Plan, APRA echoes ASIC's calls for increased levels of cyber resilience across the financial sector, given the industry's exposure to cyber risks. Like ASIC, APRA is working with other agencies to ensure the Government is adopting a coordinated response to cyber risk. The regulator also intends to take the following actions during the course of 2023 to 2024:

• assess the effectiveness of boards to oversee actions taken by regulated entities to mitigate cyber risk;
• set clear expectations for specific cyber issues where action by regulated entities is needed to adopt better practices; 
• intensify data-driven supervision for cyber risk to optimise the use of technical specialists on higher risk regulated entities; and
• focus on supervisory crisis preparedness to ensure a coordinated response to unexpected disruption to critical financial services.

View our cyber services.

ASIC and APRA: retirement outcomes and the superannuation industry

ASIC's focus on retirement outcomes in this year's Corporate Plan remains largely unchanged. ASIC intends to take action to protect consumers as they plan and make decisions for retirement, with a particular focus on superannuation products, managed investments and financial advice.

ASIC notes the intersection between this strategic priority and various core strategic projects (addressed above), being those relating to scams, DDO and digital technology and data.

ASIC has highlighted the importance of this area of focus, given Australia's ageing population.

Against this context, ASIC has flagged it will continue taking strong action against misleading conduct and poor governance in the superannuation sector, especially where misconduct erodes members' balances. This focus is likely a reflection of the outcomes of ASIC's joint thematic review with APRA into how superannuation trustees are supporting their members under the Retirement Income Covenant. In Report 766, ASIC stated that the thematic review found that 'trustees need to make progress to enhance retirement outcomes'. During 2023-2024, we expect that this will translate into further regulatory enforcement action by ASIC against the superannuation sector in a range of areas, including in respect of DDO, greenwashing and bluewashing.

APRA's Corporate Plan similarly includes an increased focus on retirement incomes as a priority. APRA states that it intends to drive trustees to improve member retirement outcomes through targeted supervision of the implementation of the Retirement Income Covenant. This focus on retirement income will be aided by APRA's continued work to reduce unacceptable product performance by increasing expectations on trustees to close high fee and poorly performing products. APRA will also seek to increase transparency of performance across the superannuation industry by releasing new and expanded statistical publications and conducting the annual performance test.

View our financial services regulation services.