ASIC Enforcement, Internal Audit and Crypto – and FRAA

Recent remarks by each of ASIC Chair Joe Longo and ASIC Commissioner Sean Hughes have looked at the issue of deterring harmful conduct, but through some very distinct lenses.

Chair Longo stressed ASIC’s commitment to enforcement - his clear strategic statement in the most recent ASIC Corporate Plan about the importance of enforcement was further underlined by his remarks.

A strong commitment to targeted, credible corporate law enforcement is a critical feature of effective regulation ASIC Chair Joe Longo, 22 Nov 2021

Commenting on enforcement’s function of  ‘supporting those who want to do the right thing’, he emphasised the range of powers now available to the agency as part of its regulatory toolkit. A clear objective for the agency’s enforcement unit is to take ‘considered and proportionate action where [ASIC finds] harm or wrongdoing’.

We will use the full range of our regulatory powers, from our supervisory work through to litigated enforcement matters. You can expect nothing less. ASIC Chair Joe Longo, 22 Nov 2021

The ASIC Chair emphasised the objective behind deploying the powers in ASIC’s armoury – to deter harmful conduct, to hold to account individuals and corporations who treat their responsibilities as optional, and to drive a culture of better corporate behaviour.

In contrast, Commissioner Hughes looked at the importance of the organisation-centric role of Internal Audit, the third line of defence in many market participants’ risk governance frameworks. He also noted the speed of the move to a digital-first environment accelerated by the pandemic:

This digital transformation has led to many benefits but it also came with a shadow-side – a convergence of consumer harms, some of which are entirely new and others more evolutionary ASIC Commissioner Sean Hughes, 25 Nov 2021

And he strongly asserted Internal Audit’s role in pursuing better outcomes for customers pointing out that ‘consumers need [Internal Audit’s] insights on risk and wariness to harm more than ever before’. This is based around the key role that Internal Audit plays in independently reviewing and improving an organisation’s risk management practices, especially in the area of non-financial risk.

Commissioner Hughes mentioned the risks that accompany the search for higher yield in a low-yield environment, and referred to ‘crypto-assets’ as examples of risky investments some of which are not currently subject to markets conduct regulation in Australia.

He also pointed to ASIC’s current engagement with the Internal Audit functions of financial institutions, clearly implying that this focus is now an important part of ASIC’s supervisory processes.

Similarly, Chair Longo noted the speedy developments in the ‘crypto-universe’ as well as the complexity surrounding ‘de-centralised autonomous organisations’ that are governed by AI including blockchain technology. And he observed the extraordinary consumer and investor demand in the crypto space, and the potentially huge implications this has for consumers.

Very importantly, while warning about the need for caution in crypto-investment, he asked:

Who among us can say that they really understand crypto-assets and cryptocurrencies? ASIC Chair Joe Longo, 22 Nov 2021

That is an authentic and important question rarely asked in market circles and points to the potential for lack of understanding amongst investors about these products and the risks involved. And it begs the question as to what issuers of crypto (and their internal three lines of defence that should support those organisations) ought to be doing to fill awareness gaps, whether those assets are regulated or not.

The link in these very recent observations of two ASIC Commissioners on enforcement, Internal Audit’s function, and the risks of crypto ought not to be lost on the market. This is backed up by ASIC’s recent significant actions in enforcement, in particular on non-compliance within the financial sector. And yesterday’s issuance of ASIC’s latest biennial report on cyber-resilience in Australia’s financial markets keeps the pressure up on cyber security and governance.

This momentum also matters for ASIC itself – the newly formed watchdog’s watchdog, the Financial Regulator Assessment Authority, has just revealed the scope of its initial review of ASIC that targets ASIC’s prioritisation process. Priorities in enforcement and other key areas and how they are decided can be expected to be high on FRAA’s list.

Feel free to reach out to our dedicated Risk and Digital Operations practice if this post has raised any issues for you.