Transcript of Speech and Question & Answer Session Panel Participation by Brad Jones, Assistant Governor (Financial System), at the Regulators 2023 (FINSIA) – Sydney

Let’s turn to some questions and really have a conversation with our regulators. I might kick off with John and Mark. We hear about APRA and ASIC working very closely together with the banking sector at the moment, in regard to the implementation of FAR by March 24, so that’s coming very quickly, and also, ultimately, then the superannuation industry and the insurance industry by March 2025. So how can professionals working in financial services, really, our audience here, best prepare for this transition and engage with regulators to prepare for this new regime? So, it’s just, really, about any pragmatic guidance.

Well, I’m happy to go first. So, the financial accountability regime, a very important piece of legislation, was passed by the parliament. It extends the BEAR, if you like, in a couple of ways. So, it moves from prudential to prudential and conduct, and it also moves from banking to banking, insurance and super. So, they’re kind of the two kind of elements to it. We see it as a really important way to improve accountability, improve risk culture, improve governance, really, in our regulated entities and, if we can achieve that, we think we’ll get better community outcomes, so we do think it’s really important. We’ve put out, together with ASIC, some information very recently around probably a couple of aspects: the joint agency agreement between APRA and ASIC, how we’re going to work together. And that is a really unique function, a really unique thing about this piece of legislation, in the fact you’ve got a piece of law administered by two regulators. So we’ve put out a short document explaining: well, how is that actually going to work? And we’ve put out another document around: well, if you’re a bank, how are you actually going to transition from a BEAR to a FAR? And that has to happen by March next year. So they’re the two things. We’ve done some webinars. Hundreds of people came to the webinars. If you missed it, it’s all on our website, so I’d encourage you to have a look. We’ll put out some more detailed material probably in a few weeks, really, particularly around the templates and what we expect. But broadly, if you’re sitting in a regulated entity, start thinking about the accountability, start thinking about the mapping I think is what I’d say to you. And the final thing I’ll mention is that we are giving a lot of thought to regulatory burden. When we look at the FAR, we really want it to feel, if you’re in a regulated entity, that you’re not dealing with two regulators, you’re dealing with one regulator. And there’s a couple of things I’d highlight. One is that, when you’re putting in your information, you’re going to put it in through the APRA Connect Portal, so you’re not going to two agencies; you’re going to one, and then we’ll distribute that to ASIC. And, as we’re thinking about supervisory or enforcement actions, we’ll do that collaboratively. So there’s a lot happening in this space. I’d encourage you: if you want more information, go to our websites; it’s there. And you’ll be hearing more from us on that.

Thank you, John. If there’s anything more –

I’ve got very little to add to what John says. Just engage with that content that’s coming and know that we’re working closely. There’s more content to come. There’s the minister’s rules too, I think. They all collectively set the scene, and I think that’s the rub of it. Just engage with that and know that we’re open to being engaged with.

Thank you. Brad, I’ll turn to you. We might talk a little bit more about payments, if we have a little bit of time. But I might pull you back to a different topic and we can’t ignore the geopolitical tensions, which are extraordinary, across the globe: Ukraine last year, of course, what’s happening in the Middle East, and on it goes. How does this increasing geopolitical tension impact how you think about the regulatory focus, the priorities?

Well, first of all, I agree with the proposition of your question, which is basically connecting, I think, to this idea that, more or less since the Second World War, economic policymakers and industry haven’t really had to think hard, deeply, about some of these issues because there was never any real, genuine prospect of economically integrated countries, and whether there are going to be potentially significant issues. That sort of a mind­set clearly needs to shift. I don’t think it would be helpful for me to be too prescriptive about what individual institutions do here because they’re each got their own obligations to manage risk, broadly speaking, in a prudent and comprehensive way. Maybe what I could say is, at least the way that I think about this is that there’s kind of two dimensions here that we need to unpack, two layers. One is the risk of sort of slow-burn fragmentation in the global economy and the global financial system, and I’d go so far as to submit it’s actually not a risk but it’s actually happening now. And I gave a speech about this earlier this week, where I sort of went through the different dimensions to this fragmentation. But the bottom line is it’s happening, it’s real and it’s playing out along various dimensions in the global financial system, in the global economy, and it’s making the system more susceptible to shocks. That’s the first point. The second point is that there’s another dimension, which is the risk of fast-burn kinetic – some sort of fast-burn kinetic event, and that is a totally different sort of set of implications. But what both of those elements, I think, speak to, the slow-burn fragmentation risk and the fast-burn kinetic risk – they connect to this concept of resilience and preparedness, and we really need to be thinking very, very hard as a community about what that looks like.

Yes. Thank you, thank you. Peter, we started talking earlier, of course, about the importance of fighting financial crime and our industry’s obligation to fight with you in that regard. What are you seeing taking place in the financial markets as our understanding matures; are you seeing this swell of improvement?

It’s a great question. I think it’s fair to say that we have really had an evolution. In the last five or six years, I think it’s fair to say that AUSTRAC has been more forward-leaning and more visible in the marketplace, and I think industry has really responded, so, —not all sectors; it has been a bit hit and miss. But I think, in general terms, industry is really responding and taking it a lot more seriously; we are absolutely seeing that. But even that response is coming in waves. I think, initially, industry quite rightly said, ‘Okay, let’s all have a look; are we doing this well? Okay, we need to invest more,’ and so we did see quite a significant spike in reporting that was coming into AUSTRAC, which is always welcome. What we’re now seeing I think is, after that initial period, an increase in the level of sophistication and maturity in the type of detection systems. So that is now helping us further improve again, industry again. So, we’re not just getting report of everything that might be something suspicious but a much more mature and developed understanding of the types of risk, and that’s being done in partnership with AUSTRAC and based on the benefit of that additional guidance and material. So, I think we are on that journey. I think there are some sectors that have been faster than others, and so that’s why our enforcement work is still really important. So, we need to make sure that there is a strong deterrence effect for those sectors that are slower to adapt, and so we remain committed to that. But we have seen that uptick, absolutely.

Yes. Thank you; that’s good. So, Mark, on that theme of movement in the industry, if we think back to the design and distribution obligations, DDO, which is now two years in, what impacts are you seeing following the introduction of these obligations; are you seeing what you were needing to see across the industry?

Thank you. So, the DDO, from our perspective, is really an important addition to the mix of things in the framework which promote better consumer investor outcomes, so it’s at that supply side. So, it’s not just about disclosure; it’s about issuers and distributors thinking about the cohorts which this product is most apt to and its goal of promoting that ambition that people are getting the fit-for-purpose sort of product more likely than not. So, it is two years in and early days, so the short story is, I think, businesses have reflected on that and changed things. And there’s been a bit of nudging on that. I mentioned earlier there’s been 80 target market distribution stop orders that ASIC issued, so there is still thinking being done about getting that prism right. So that’s at this stage. I probably just want to add one thing, and that is the obligation includes in it the monitoring function, the review and monitoring, as well as an obligation to change your distribution approach, if necessary. So, I think that’s an area that ASIC will be turning its attention to, alongside the actual issuance side, so that the mix of the obligation does its role in promoting that outcome of the products being distributed more likely to the right cohorts.

Thank you, thank you. And, John, as we think about all this monitoring and how technology helps us do so many things these days. I’ll turn to you, John; that sort of brings us to outsourcing, because so many organisations don’t have the capability in-house and we have to outsource to third- and even fourth-party contractors rather than building in­house systems. So what practical steps can boards or execs take to ensure that these business activities are being appropriately managed?

So, we know that outsourcing is a very important part of regulated-out business. I mean, it delivers technology, it gives innovation, and it gives services that maybe the business can’t provide, so all of that’s good. But what we say to regulated entities is: whether you’re providing the service housing it in­house or going out, you need to make sure that you’ve got the appropriate risk measures around it. So, I think that’s the key issue. We’ve put out CPS 230, it’s a big standard, and we’ll put out some guidance early next year, I think, on that as well. Really, what that is about is saying, ‘Know your third-party, fourth-party, fifth-party providers. So really understand who they are, because we’re not regulating them; you’re involved with them. Know who they are, make sure there are robust controls in place and know what your critical operations are as well. And so, when I think about what we want people to do, our standard doesn’t come into play for another 18 months, but we don’t want to be in the world where it sort of comes into play and we’re not ready. So we’re asking regulated entities to really have a think now, and so it’s almost map the third-, fourth-, fifth-order parties, the material ones, and understand where they link into the critical functions as well: like, what makes them important. And the third thing I’d say is that, really, for some entities, this is going to involve a bit of system change, you’ve got to go through that; but, for other organisations, it will involve a much deeper cultural change for the organisation, so be aware of that. And, if you’re certainly in the latter camp, my message would be: ‘Start talking about it; start talking about the importance of it and, really, what we’re trying to do,’ because, if we can nail this, I think it will really be an important sort of plank in the safety of the system and for entities.

Yes. Thank you; that’s good. And then, Brad, we’ll pick up on this theme of innovation. There’s so much happening in the payments system, so what are the key risks that you intend to mitigate or address – you can’t mitigate all of them, but address – through regulation?

Look, operational risk is becoming a huge issue, obviously, right across the financial sector and parts of the payments ecosystem are obviously right at the pointy end of that. So, what we’re really focused on is making sure that entities are leaning into some of the vulnerabilities that are really the flipside of the opportunity coin. Then payments: there’s so much innovation going on in this space and, as a country, I think we really need to harvest all the benefits we can from what’s happening on the innovation side but, at the same time, it’s obvious that there are some key points of vulnerability. The point that John made about third parties is one that looms very large for us. For the institutions that we regulate, it’s not enough to say, ‘Well, these are third-party risks,’ and sort of assume that they’re not responsible. You are responsible for third-party risks, or the risks introduced through you turning to third-party vendors which can be an entirely sensible commercial decision, but it doesn’t absolve you from your responsibilities to manage those risks appropriately. And cyber is sort of right at the pointy end of that issue because there is, I think, an ongoing concern – and we talk about this frequently as a sort of regulatory community – about where are the key points of vulnerability to cyberattacks and through third-party vendors. It’s an issue that just keeps on cropping up in our conversations. That’s a particular area of focus.

Yes, a good pragmatic call­out, so thank you, thank you. And, Peter, we’ll look at just RegTech. So RegTech, again on this theme, can play a really critical role in how we really assist organisations meet their AML/CDF obligations. As you – well, for AUSTRAC, do you work with the RegTech sector, engage with them, provide that pragmatic guidance to help them get to the place that we need everyone to be?

Look, there’s no doubt that RegTech absolutely has a role to play in this space, and we are actively engaged with the RegTech community. We hosted an event with the RegTech community this week, where we encouraged the collaboration and the work to get it to operate. It is going to absolutely be a fundamental part of it. But just like John and Brad have talked about, you are ultimately responsible as the business. And so, over and above what John and Brad have talked about, I think we just emphasise this very similar message potentially in a slightly different way. When you’re engaging with the regulatory technology or other outsourcing means, test, validate, assure yourselves that what you’re using is good and robust; because it may be cost effective, it may have a skillset that you don’t have but, if you’re not regularly testing and validating and assuring that it’s doing what you want it to, and whether that’s your internal assurance or getting someone in to come and have a look—we are strongly encouraging that as part of that innovation and testing mindset. We’re all for it, very supportive of it, but just keep testing.

Yes. Thank you, thank you. I might just turn now to some general questions for everyone. I’m just going to do a time check. Are we doing okay? Okay. So maybe I’d like you all just to touch on, if you don’t mind; we’ll start at the end of the couch, how important is interagency cooperation within Australia and globally?

It’s essential. I’m sure all my colleagues will say the same. Let me just give a few examples. There’s the informality. I don’t want to underestimate the informality, and I think that’s richer and deeper than it’s ever been. And that’s everything about what we’re seeing, how we’re doing things, where we’re learning, where we’re growing. It’s all those factors. Then there’s the formality. And you and this audience need to know, when there’s supervisory work going on, that we’re in dialogue to make that work as best and in a coherent and aligned fashion as much as possible with the sector. Then, if I just switch it to internationally, that’s really crucial as well – and many of us are represented on international standard-setting bodies – because those international standard-setting bodies aren’t just academic; they produce good guidance and content and practices, which are influential in influencing the way that our businesses should operate and also informing policy frameworks within this jurisdiction. So they’re just three examples where I think the interconnection is just essential, yes.

Yes, thank you.

I’d add to that. Whether it’s operational engagement at the most junior levels of the organisation, we’re now picking up the phone or going to meetings together more than ever before or whether it’s at the end point, where we’re undertaking an enforcement outcome. We’ve done really collaborative enforcement work with ASIC in the casino sector, we’ve done some great joint enforcement work with APRA in the banking sector, and you’ll see more of that. None of us have the resources on our own that we’d all love, we’d always love more, but the more that we can collaborate and share, the better it is.

Thank you. John?

So, like, we can’t do our job without collaborating, and that’s the frank answer. I mean, the financial system is global; right? So it’s all interconnected. We can’t just be in our own bubble and do our own work; we’ve got to be cognisant of what others are doing and collaborate together. So, again, just to give you a feel, globally, we adhere to international standards. We’ve got to, as a mid-size economy. It’s important for the stability of the system. So we do that on banking, Basel; we do that on insurance; we do that on pensions. We’re involved in all of those international committees. I talk regularly with heads of prudential regulators – I spoke this week with two heads of prudential regulators offshore to understand what their priorities are and what they’re doing – and that actually helps us inform what is happening here: does that ring true? We’ve got supervisory colleges, so a number of our entities actually are operating globally as well, so we share information on that with the New Zealanders, so the Trans-Tasman Banking Council; I’m off there next month. So there’s a lot of global kind of work happening. And then, domestically, we’ve got MOUs with everybody here and very close working relationships. And the one that I would pluck out, I think, that is unique globally is the Council of Financial Regulators. It does not have powers itself, but it is a collaborative organisation of independent regulators and, when there are problems in the financial system – you saw it in March; you’ve seen it in the pandemic; you saw it in the GFC – I mean, that body and the way it works really comes to the fore for pinch point issues but also some of the longer term issues that we’ve got to address. So, it’s just critically important.

Fantastic; thank you. Another comment?

I’ll just add two quick points. The first is: I’m sure you’ve all heard the expression about ‘never waste a crisis’. We’ve had two big ones in the last 15 years and, if there’s any good that’s come out of those periods: the Global Financial Crisis and the pandemic, it’s that it forged a degree of cooperation and collaboration domestically and internationally that maybe wouldn’t have happened in the absence of those events. And the second point I’d make is ‘commonality’. The commonality of issues that we confront, the agencies represented on this stage, but also internationally, is just really striking. We’re all dealing with, effectively, the same issues. They just play out slightly different in our patches. And so, yeah, it’s just become really existential that we’re speaking to one another on that basis.

Yes, very good. And, again, thank you for sharing because I think it’s a wonderful insight and should give everyone confidence on how Australia is being regulated. But thank you.

Hi, I’m from Rhizome Advisory. I’ve got a question regarding AI and the expectation of regulation coming down the pipeline; what are your views on that?

AI is incredibly important as a productivity enhancer: better services to the community ultimately. But what we say to all our regulated entities, whether it’s AI or any other form of technology, is that you need to be prudent. You need to wrap risk management around it and you need to think through: what are the risks and what are the controls we need to have? And that needs to be carefully monitored, and boards need to be very aware, and senior management, of what’s happening. So that’s what I’d say.

That’s sort of gazumped my question. I’m from Bendigo Bank, Adelaide. I had an AI question too and I was going to ask that one, but the second one is: how are the regulators thinking about AI about how it will help you do your job?

Look, we are actively thinking about a bunch of use cases ourselves and starting to play in that space, as I said, both on the intelligence front and as part of our regulatory role. I’m very conscious, though, that we’re not alone. We operate in a big government ecosystem, and so we’re looking at leveraging some of our bigger partners who are engaging with that. But I think it’s fair to say that there are not only opportunities and benefits for you but also for us, and so we are engaging with that and thinking of use cases and seeing how it fits our remit. But we’re doing the exact same things that we ask you to do; that is really test, assure, understand your risks and think about the consequences of getting it wrong.

Thank you.

And I would just double down on that and say ‘absolutely right’. There’s just a couple of things I’d probably just mention. There is a whole-of-government activity looking at best practices, led by the Digital Transformation Authority, and I think we’re all probably intertwined with that, so that will assist us in that. And that point that Peter made: we need to be exemplar in the application of these advanced analytics in our work.

I’m a digital banking and industry academic. I notice the capability for the takedown of scam websites, which I thought was a really interesting kind of innovation. Are we likely to see more of this come from government; and how can industry help with those kinds of initiatives?

Well, I can touch on that briefly. I mean, I’m not front and centre on this activity, but I think we made an announcement yesterday with the Assistant Treasurer. So one of, I think, the significant efforts around responding to scams is what can be done to mitigate that through exercises to take down and engage in that. So it is an important plank of the activity, and I think there is funding support for that over the near term. So we’ll have to keep seeing the strength of that contribution. There is the national scam centre, led by the ACCC, so there are bridges there for industry to engage with around the discussion around scams. So I’d want to just emphasise that there are avenues for industry to engage with that dialogue because it’s touching everybody. And that takedown example is an example of something: I think that fusion shell I mentioned. So there is the first sort of investment scam taskforce that’s been established with a short horizon, and that’s an example of what potentially could be other examples to support dealing with investment-scam-like activities, and that’s going to be really interesting to see what comes out on that.

Yes. But there’s not going to be any one initiative or silver bullet that will solve scams; it’s absolutely a multifaceted solution, right. So sometimes there’ll be a takedown facility, sometimes it will be a law enforcement response, sometimes it will be hardening industry as the first line to stop things getting into the gateway. That’s why the ACCC’s Anti-Scam Centre, in the fusion cell, has all of those partners in there because we’re exploring all of those options and really making sure that as many bases or as many different treatments are covered as possible.

Hello, I’m a non-executive director on some financial services entities. One of the many learnings from the recent public data breaches is in relation to protection of data and retention of data, and financial services has more sort of regulatory requirements in that regard than other sectors. So I’m just interested in your thoughts on data retention and data sharing, data protection.

Well, I’m happy to lead off. I mean, it’s a very important issue. It goes, for us, with operational resilience, and what we’re saying to all entities is not just know what you’re critical functions are and operations but know where your critical data is; right? Know what is critical, know where it is and know it’s safe, so wrap the risk management around it; so we’re saying that. We don’t have particular rules, to my knowledge, on how long to keep it. I mean, these are issues for the entity itself, but you need to be managing the risk.

Yes. We have some obligations under our anti-money-laundering regime to keep records for certain periods of time, but all the same things apply that John said. you’ve got to have the protections, the frameworks, in place to do that, and it is a challenge; you’re always going to be susceptible. That’s why it’s not a one-off investment to protect your systems; it’s a continual battle. And for senior executives and independent directors, you have to be prepared to continue to fund it. It’s not a: ‘Oh, it’s orange this month; we’re going to whack some money at it and it will be green.’ It’s a continual investment that you’ve got to be prepared to continue to engage with.

Thank you. We don’t have time for any more questions. I’d like to invite Yasser up to the podium and, as Yasser joins us, I’d personally like to thank each of you and your agencies for the work that you do every day. Thank you.

Thank you, Chris, and thank you to our regulatory panel; it was tremendously insightful, as we expected it to be. We really do appreciate the candour and the openness that you all bring to the discussion today. I think you’ll all agree that regulating the financial services sector is certainly a big challenge; we know that in a day-to-day context. We know that it’s vitally important, though, and the role that each of you play is absolutely critical to maintaining the stability of the great financial services sector that we do have in this market.