There have been many notable legislative and regulatory developments in the fintech sector this month. Alongside the release of the Budget 2018-19, Australian regulators have been particularly focused on facilitating innovative new businesses entering the market, including the establishment of the tiered market licensing regime by the Australian Securities and Investments Commission (ASIC) and the new restricted authorised deposit-taking institution (ADI) licensing framework by the Australian Prudential Regulation Authority (APRA).

The European Union’s General Data Protection Regulation (GDPR) has also come into effect. The GDPR introduces strict new data protection measures with a broad extra-territorial reach. Australian fintechs should consider whether the GDPR impacts existing data protection policies and procedures, and update as needed. See G+T’s insight here for further information.

ASIC has also updated its guidance in relation to initial coin offerings (ICOs) and cryptocurrency. This guidance has been detailed here.

Please be in touch should you wish to discuss any of the below.

Fintech fact: In their 2017 Cyber Security Survey, APRA found that 74% of respondents had cyber insurance policies in place with a further 17% of respondents actively considering taking out a policy.

Budget 2018-19: what fintechs need to know

On 8 May, the Australian Government released its 2018-19 Budget. Our recent insight delves into the core announcements from the Budget. There are four key areas that may impact the fintech landscape both locally and abroad – these have been discussed in-depth here

ASIC has introduced a two-tiered licensing regime for financial markets in its updated regulatory guidance, Regulatory Guide 172 Financial markets: Domestic and overseas operators (RG 172). The guidance has been updated following generally positive responses to consultation last year (discussed here). RG 172 has also been updated to clarify expectations in relation to technological resourcing and risk management obligations, bringing ASIC’s approach in line with regulators in foreign jurisdictions.

Under the new licensing regime, market venues can be designated as either Tier 1 or Tier 2 licensees, depending on their nature, size, complexity, and the risk that they pose to the financial system, and investor confidence and trust. Generally, Tier 1 licences are expected to cover traditional markets and significant non-exchanges while Tier 2 is targeted at specialised and emerging market venues. Tier 2 licensees will not be permitted to use the terms “exchange” or “stock/securities/futures market” in their title or marketing material. However, Tier 2 licensees will have reduced regulatory burdens to accommodate new and specialised market platforms. This is likely to impact, among others, operators of markets, operators of market-like venues (ie, those that facilitate the trading of financial products on the basis of an exclusion or exemption from the Corporations Act 2001 (Cth)) and crowd-sourced funding platforms seeking to offer secondary trading.

ASIC has indicated that market venues seeking an exemption under the new licensing regime will only be granted one in “rare and exceptional circumstances,” given the flexibility offered by the two tier system.

APRA establishes new restricted ADI licensing framework

Following consultation last year (discussed here), APRA has released an information paper establishing a new restricted ADI (RADI) licensing framework.  

Broadly, the new framework enables eligible entities to seek a RADI licence which will allow them to conduct a limited range of business activities for a period of two years. The rationale behind the framework is to assist RADIs in seeking the investment required to develop capabilities and resources in order to meet the full prudential framework and be ready to commence banking business as an unrestricted ADI . After the two year testing period, the RADI licence holder can apply for an unrestricted ADI licence, or it must exit the banking industry.  

The framework has been discussed in detail here.

On 9 May, the Australian Government agreed to the recommendations included in the Review into Open Banking in Australia, both for the framework of the overarching Consumer Data Right (CDR) and for the application of the right to Open Banking. The Open Banking regime will be introduced with a phased implementation from July 2019.

The CDR will enable customers to share their transaction, usage and product data with service competitors and comparison services. The Australian Competition and Consumer Commission (ACCC) is to be the key regulatory body (supported by the Office of the Australian Information Commissioner), which has indicated that the CDR will allow consumers to compare and switch between goods and services more easily, which will encourage competition between service providers and lead to more innovative products at better prices.

The Open Banking framework is the application of the CDR to the banking sector; the first sector to be designated as such. The phased implementation contemplates data on credit and debit cards, deposit and transaction accounts to be available by July 2019, with mortgage data included by February 2020 and remaining product data available by July 2020. All major ADIs will be required to adhere to the above timeline, with remaining ADIs having an extra 12 months to implementation for each phase.

It is anticipated that over the coming months, the Treasury will be consulting on draft legislation, the ACCC will be consulting on draft rules, and Data61 will be consulting on technical standards. The introduction of Open Banking is set to significantly impact the fintech sector as it encourages innovation and new third party services whilst ensuring that data is subject to sufficient privacy and security safeguards.

Following consultation earlier this year, the Minister for Revenue and Financial Services has announced the establishment of the Australian Financial Complains Authority (AFCA) as the operator of the new single external dispute resolution scheme for consumers and small business complaints.

AFCA will be overseen by ASIC and will be able to deal with complaints about financial firms (including banks), credit providers (including in relation to small business lending disputes), insurance providers, financial providers, managed investment schemes and superannuation trustees. Reports will be provided to ASIC where AFCA identifies serious and systematic contraventions by financial firms.

The new scheme will replace the current complaints processes operated by the Financial Ombudsman Service, Credit and Investments Ombudsman and the Superannuation Complaints Tribunal and will operate under significantly higher monetary limited and compensation caps.  AFCA will commence accepting claims from 1 November 2018, however existing claims will not be transferred to AFCA.

All financial firms that are required to have a dispute resolution system to deal with complaints by consumers and small businesses  must become members of AFCA by 21 September 2018. ASIC has indicated that the process of applying for membership will be outlined in the coming months.

At the inaugural #ACCELERATE RegTech 2018 event, ASIC Commissioner, John Price emphasised ASIC’s commitment to engaging with regulatory technology (regtech) and discussed the results of ASIC’s natural language processing trials.

The Commissioner acknowledged that regtech is a core element of risk and compliance frameworks for some parts of the Australian financial system, and as such, ASIC was committed to the following guiding principles in its approach to regtech:

  • working towards regtech outcomes that align ASIC’s strategic objectives;
  • undertaking a focused number of initiatives that have near term deliverables; and
  • having regard for industry input, international case studies and learnings when forming plans.

The Commissioner re-asserted ASIC’s technology-neutral approach and discussed the expansion of the Innovation Hub to include engagement with the regtech sector. This has taken the form of regtech events such as ASIC’s Regtech Roundtable and Showcase, as well as ASIC’s new Regtech Liaison Forum, which was designed to facilitate networking and stimulate discussion on the positive applications of regulatory technology. The Regtech Liaison Forum has also created a venue for information sharing and targeted discussion identifying practical areas of focus for industry and regulators. Alongside this, the Commissioner noted that ASIC has had over 60 meetings with regtech stakeholders and service providers to discuss developments in the sector and will hold Regtech Liaison Forum meetings every three months for interested parties.

The Commissioner also gave an update on ASIC’s natural language processing trials in relation to resolving regulatory problems. ASIC has tendered for the provision of pilots in areas such as (but not limited to) the advertisement and promotion of financial and credit services, managed fund product disclosure statement review, financial advice file review and prospectus review. The Commissioner indicated that ASIC has received 30 applications from solution providers and was intending to select trials to begin this year.

ASIC has opened public consultation through Consultation Paper 300 Approval and oversight of compliance schemes for financial advisers (CP300). Broadly, CP300 notes ASIC's proposed approach to improving and overseeing compliance schemes for financial advisers. As of 1 January 2020, ASIC will impose a suite of ethical and education requirements for financial advisers who are authorised to provide personal advice about financial products to retail clients. Fintech businesses should note that financial advisers will be required to comply with a code of ethics developed by the Financial Adviser Standards and Ethics Authority, and be covered by an ASIC-approved scheme under which their compliance with the code of ethics will be monitored and enforced.

CP300 outlines the process for applying for approval of a compliance scheme, ASIC's expectations for the governance and administration of compliance schemes, how ASIC proposes to exercise its powers to vary and revoke scheme approval, a proposal to amend the law to ensure that monitoring bodies can gather information from AFSL holders and authorised representatives that need to carry out proactive monitoring activities, and draft guidance regarding the notifications that monitoring bodies must make to ASIC. 

Over the six week consultation period, ASIC is seeking comments primarily from applicants for compliance scheme approval, financial advisers and AFSL holders who authorise financial advisers, in three key areas: (i) the likely costs of compliance, (ii) the likely effect on competition, and (iii) other impacts, costs and benefits.

The consultation period closes on 28 June 2018, with ASIC intending to release a regulatory guide setting out its final policy by the end of September 2018.

The ACCC has released its ninth annual Targeting Scams report, which explains key trends in scam activity and highlights the impact of scams on the broader community.  Key findings included:

  • Scams have continued to evolve with technology and social and market trends. Complex scams targeting businesses have included the use of targeted techniques such as phishing and malware to manipulate key personnel in the business;
  • There was an 8% increase in reported scams overall, with the ACCC highlighting particular concern that there was a 33% increase in reported losses as a result of investment scams and the number of reported losses over A$400,000 more than doubling between 2016 and 2017; and
  • In the fourth quarter of 2017, reporting of cryptocurrency and initial coin offering-related scams increased seven-fold compared to the start of 2017. The ACCC noted that total reported losses exceeded A$2.1million.

The report is a useful reminder of the intersection between scams, technology and commerce, and reinforces the importance of considering and responding to cyber risks that may accompany operating a fintech business. ASIC has provided regulatory guidance setting out its expectations for minimum standards for managing cyber risk, while the ACCC has provided guidance to assist financial institutions in implementing good practices to reduce scams operating through their platforms.

International developments in cryptocurrencies

There have been many developments around the world in relation to digital currencies. Get across the details here.