ASIC cracking down on AFSL holders: inadequate cybersecurity infrastructure and non-compliance by authorised representatives

ASIC has recently commenced enforcement action against Australian financial services licence (AFSL) holders for alleged breaches of the general licensing obligations in the Corporations Act 2001 (Cth) (Corporations Act) and failures to ensure that authorised representatives (ARs) act in the best interest of clients.

The actions are a useful reminder of the potentially broad scope of the general licensing obligations, as well as ASIC’s willingness to bring proceedings against licensees who are allegedly involved in non-compliant conduct.

AFSL holders to maintain adequate cybersecurity systems and infrastructure

On 21 August 2020, ASIC commenced proceedings against RI Advice group (RI), a wholly owned subsidiary of IOOF Holding Limited, for cybersecurity failings that led to their systems being hacked. The actions follow several alleged cybersecurity breaches by some authorised representatives (ARs) of RI.

ASIC is arguing that after becoming aware of incidents, RI failed to adopt a cybersecurity framework to guide all its cyber-related activities as well as to undertake a risk assessment across its entire networks of ARs.

These proceedings are a warning to all AFSL holders that the general obligations in section 912A of the Corporations Act may extend to an obligation to ensure that cybersecurity issues are adequately managed and adequate cybersecurity infrastructure is implemented.

The general obligations

  • The obligations imposed on AFSL holders under section 912A of the Corporations Act include obligations to:
  • do all things necessary to ensure that the financial services covered by the licence are provided efficiently, honestly and fairly;
  • comply with the conditions on the licence;
  • comply with the financial services laws;
  • have available adequate resources (including financial, technological and human resources) to provide the financial services covered by the licence and to carry out supervisory arrangements; and
  • ensure that its representatives are adequately trained, and are competent, to provide those financial services.

Declarations and penalties sought by ASIC

ASIC is seeking:

  • declarations that RI breached its obligations as a financial licence holder and contravened the general obligations referred to above;
  • pecuniary orders under section 1317G of the Corporations Act in an appropriate amount to be determined by the Court; and
  • compliance orders requiring RI to implement reasonably appropriate systems to adequately manage risk in respect of cybersecurity and cyber resilience and to provide a report from a qualified independent expert to confirm that the systems have been implemented.

In its notice of filing, ASIC says that is it is essential that an AFSL holder, which holds (including by its ARs) confidential and sensitive client information and documents, has in place adequate risk management systems, and resources (including technological and other resources), in respect of cybersecurity and cyber resilience.

Ensuring that representatives comply with their obligations

On 4 September 2020, ASIC commenced civil penalty proceedings against Dixon Advisory and Superannuation Services Limited (Dixon Advisory), a subsidiary of ASX-listed Evans Dixon Limited (Evans Dixon).

Best interest duties

Under the Corporations Act, providers of personal advice to retail clients have various duties in relation to those clients, including that:

  • the provider must act in the best interest of the client;
  • the resulting advice must be appropriate to the client; and
  • if there is any conflict between client’s interest and those of the provider, licensee, authorised representative or associates, then the provider must give priority to the client’s interests when giving the advice.

The Corporations Act imposes liability on licensees for contraventions by their representatives of duties, including those mentioned above.

ASIC’s claims

ASIC alleges that Dixon Advisory failed to ensure that its representatives acted in clients’ best interests and to provide appropriate advice. Furthermore, ASIC alleges that Dixon Advisory representatives knew or ought to have known that there was a conflict of interest between clients’ interests and those of entities associated within Evans Dixon, and failed to give priority to the clients’ interests.

ASIC is seeking:

  • pecuniary penalties against Dixon Advisory. The maximum penalty for the Dixon group’s contraventions before 13 March 2019 is $1 million per contravention, and contraventions after that date can amount up to $10.5 million per contravention; and
  • orders that Dixon Advisory puts in place appropriate systems, policies and procedures to ensure that Dixon Advisory representatives comply with the best interest obligations, which are to be confirmed in a written report from an independent expert.

If you have any questions about your obligations as an AFSL holder or financial adviser in light of ASIC’s recent enforcement action, please contact a member of the Addisons Corporate Advisory team.

This article is part of the 2020 Financial Services Newsletter, click here to download.

Liability limited by a scheme approved under Professional Standards Legislation.
© ADDISONS. No part of this document may in any form or by any means be reproduced, stored in a retrieval system or transmitted without prior written consent. This document is for general information only and cannot be relied upon as legal advice.