Transcript of Speech and Q&A Session Panel Participation at the Regulators 2022 (FINSIA)

Thanks, Nicole. So now we're going to move to a little bit more of an informal session where I will try and facilitate some discussion. I'm going to do my best to facilitate some discussion here. And then by around two, go to questions from the audience, which should allow 15 minutes or so for questions, and then a hard stop, I repeat, a hard stop at 2:15 where I'll invite the CEO of FINSIA to come up and close.

So let me just move down here, just checking. Yep. We've done that mic seamlessly. How good are they?

So I might turn to you first, Michele, thank you so much for your comments. You talked a lot about innovation or in your remarks, you talked about innovation. I was wondering when you think about innovation, how do you strike a balance between not holding back innovation, but at the same time, having a safe and secure system?

Really, I would say that's the essence of what we're doing. So we're not an enforcement regulator, unlike ASIC and AUSTRAC. We try to use … we try to work with the industry to work out what are the risks that might need to be addressed and how might we address them. I think the other thing too, is that if you think about innovation particularly in this area, access is really, really important. We hear, lots of new firms to these areas who complain a little bit and they say, well, the infrastructure's all controlled by the standard financial system. How can we compete? We hear a lot about, for example, in the cross-border space we hear a lot about innovative firms trying to offer good services in that space and they complain about being de-banked.

So how do you work with the established financial system to address the risks that might arise from something like cross-border and that sort of crosses a little bit into Nicole's area, but at the same time, make sure that the innovative participants can bring some competition to the system. So as I said, the way we do that is we go about working with the industry and one of the things I think that will be important is if we can get this licensing framework up and running for some of these more … which is appropriate. You don't want to be an ADI, but you don't want all that overhead, but you want to be able to compete and you want to be able to show that you are a credible and well run organisation. Then we need a licensing regime that can handle that. And the moment I think, we probably don't have that so I think that's very important.

A question off the cuff. Is there anywhere we see globally where that's been done really well?

It's been done reasonably well, I think in Singapore, although I have to say the crypto world is causing problems for everyone at the moment. That's an innovative area where I think everyone is just a little bit nervous about the potential implications, particularly for consumers. Consumer protection is not our particular area, it's more ASIC's, but I think they're worried about that. But Singapore does it reasonably well. England is also reasonably advanced in this and the Europeans are having a fairly good crack at it as well. So there's a number of areas to look at but it's moving fast and legislation takes time.

Yeah, that's a problem that's been mentioned a few times today, so I might move to you, Cathie. And thanks so much for your remarks. I just wanted to focus in on cyber risk which is something at PwC we're hearing about all of the time, both in terms of our own business, but also our clients across the market. It really is a key focus area for ASIC and rightly so. And you did mention a breach that's happened recently and consequences for that breach which is absolutely appropriate. But what we also find is that companies are really struggling with how to keep pace with all of the cyber-attacks and the developments and you can assume that there's stuff going on in every single organisation across the market. So what's your advice from a regulator's perspective to companies, as they try to keep pace with this?

Well, this is a fundamental issue and it needs to be front of mind for all of us because we all rely on technology to run our businesses, to live our lives. So the advice is to make it front and centre. It is not an IT issue. It's a business strategy, business leadership issue. You need to be really focused on it. And of course, you need to have an assessment system. There's established assessment systems, whether it's the NIST system, which is it comes from the US and it's been well in place for a long time now, or whether it's some of the other systems, or even if you use the Essential Eight guidance from the Australian Cybersecurity Centre. You need to have a system to assess where you're at. It needs to be meaningfully done.

And then you need to be prepared to make the investment to address the issue. And one of the things that I think so many of us forget to do is to accept that we're probably likely to have some sort of cyber disruption. We're going do something wrong. And what I think is really important is you start to run scenarios and you make sure your senior management is involved. They're not sending off, you know, a sort of a proxy for them. They're actually involved, your boards are involved in running those scenarios. And they absolutely know how they're going to deal with the issues, because they will arise and you need to have arrangements in place. They're a great source of information, we've been doing benchmarking self-assessments for, I think the last one that we produced was last December of financial market firms. But there are all sorts of sources of information. So just really have a look if you haven't engaged with it. But the main thing is to be making sure that the leadership of your firm is really engaged. It's their problem. It's not, not the IT department's problem.

Yeah, in a recent survey we did of CEOs across the market. It was the number one issue on CEO's mind. So I think it's there. I think everyone's just grappling with, you know, how to respond and the investment it takes. So Wayne, just turning to you. Thank you for your comments. I'm going to ask you a broad question. You discussed a number of priorities and themes for APRA. What's the thing that worries you the most?

Well, I'd start by saying thankfully not a huge number of things because we've got a good financial system. And, and as I look around the world, quite genuinely, there aren't many financial systems I'd swap for the Australian financial system. I think we are very lucky with what we have in this country. If you asked me though, what I would worry about or lose sleep over, it'd be none of the issues I talked about today because I think the things I talked about today were sort of trends, whether it's interest rates or housing prices or insurance affordability, improvements to the superannuation system, they're all trends. They're sort of, there's a bit of uncertainty around trajectory and speed etc., but they're all trends and people have time to respond to them and adjust to them. And, and so no one should be sort of particularly caught off guard by those sorts of things.

The things you worry about are the things that come over your shoulder and sort of out of your field of vision and all of a sudden are here and sudden, and severe. And so that, you know, that could be the cyber-attack, the major cyber-attack that Cathie's talked about. It could be a natural catastrophe that took out critical infrastructure. It could be an escalation of geopolitical events. It could be an adverse turn, severe adverse turn in the path of the pandemic. It's those sort of things that have the potential to catch people off guard.

So you can't prevent any of those things. You can't stop them and almost by definition, because they are unanticipated, you haven't anticipated them. But what you can do is make sure you've thought about and have good plans in place contingency plans in place that aren't so scenario-specific that if your particular scenario doesn't eventuate, you're caught off guard. You know, you need a general preparedness and we are certainly putting a lot more effort now into recovery planning in the financial system to make sure that whatever the adversity comes from, we don't know when, we don't know where, we're not quite sure where it will hit, but we know something will go wrong at some point. And being ready with good contingency plans, a menu of options that are robust that you can deploy as needed is sort of how we approach that.

Yeah. We all have to be agile.

That's right.

Yeah. Nicole, thanks so much for your remarks. And it is a fascinating world, I have to say. I hope you don't get too depressed. <Laughs> You mentioned your work briefly on sanctions in relation to Russia. What impact has the conflict in Ukraine and the increasing broader geopolitical tensions had on, on AUSTRAC?

Firstly, we're not the regulator for sanctions, that's the Department of Foreign Affairs and Trade. But we do help regulated entities with managing that and take, of course, the suspicious matter reports related to sanctions. I have to say the response has been fantastic. We actually thought that everyone would be quite out of practise. It's a long time since we've done it at any volume, but it's been great. We don't have a lot in the Ukraine/Russia situation. There's not a lot of money flow as most people in this room would know between Russia and Australia. So we haven't been bombarded, but there's been some great insights from industry that have helped with some of those sanctions and oligarch work. That's not just helped us domestically, but we're on Five Eyes groups that are particularly helping the UK and US who have a lot more to do in that space.

The geopolitical political situation at the moment is interesting. We're part of the national intelligence community, so we do a fair bit of national security work. Something that we are really have been focusing on in the last 12 months and continuing to do in the next couple of years with some of your companies actually, is working on some more capability building in the South Pacific. We've done a lot in southeast Asia over the last 10 years, which has really paid dividends. But we've started to focus on the Pacific Islands and at the moment we've got 12 of the 16 on a working group to look at that capability. So that's something that as I say, some of your organisations are involved in as well.

Yeah. Thank you. Michele, I might just ask you, I'll try to get one more question in each before we go to the audience, obviously so much change happening in the payment system. What are the key risks you're trying to mitigate or address through regulation there?

Yeah, so I think probably the main risks are the things we're focusing on, probably are the potential financial stability risks. And I mentioned earlier crypto and everyone probably will have seen all the news about the so-called stablecoins being not so stable anymore. I think this is a risk that regulators around the world are worrying about. They're not big enough at the moment to cause financial stability issues, but their links to the financial system are increasing and so I think there's potential there for certainly risks to rise and rise quite quickly. You know, Wayne said it's a trend, so it's not something that's coming from left field, but it is certainly a big risk. The other one, again, I'm going to reinforce is cyber. It's not if, it's when, and these sorts of things are quite important, particularly for systemically-important financial market infrastructures, the ASX infrastructures, for example. You know, the risks of a cyber-attack on something like that causing problems for the financial markets is severe. And so I think we've all got to be really on top of our game and those sorts of infrastructures really need to be extra on top of their game.

Yeah. Agree, Cathie, another one for you in an environment of rising interest rates, will you have a particular focus at ASIC in terms of customer outcomes?

Well, we always have a focus on customer outcomes. If you like, that's our bread and butter. We are wanting to have Australians really confident about, and engaging with the financial system. And we're particularly alive to hardship issues that might arise. And that characterised many of the steps we took over the pandemic period, too, to really address situations where there could be hardship for customers. So, absolutely we are focusing on that. One of the things we that's happened over the last 10 years or so is that we have a new array of powers. One is a product intervention power, which allows us to step in and actually ban or impose conditions on a product being made available to consumers if there's a likely substantial detriment to them and we have exercised our power. Just in April we announced an extension of our product intervention power for contracts for difference in relation to retail investors; there's quite specific conditions that are imposed on those products now.

But the other one, which I think people are really interested in seeing how it operates is what we call the design and distribution obligation. So that is about making sure that when you design a product you actually design it with the customer in mind. The outcome for the customer is paramount and how that product is distributed has got to be reflective of that design philosophy. So you distribute it to that group of consumers that you had in mind. Now that legislation only became effective in October last year and we gave a little bit of time for the industry to make the adaptions necessary, to really feel comfortable with that new legislation. We now are going to be looking very closely at how that legislation is being observed. If you like, we're going to have targeted surveillance over, you know, the traditional consumer products, looking to see how well industry is going at achieving those customer outcomes. So that'll be an area of interest.

Yep. Wayne, I'm going to ask you a specific question around data collection, because I know a number of firms are sort of going through this process and grappling with it a little bit. Can you foreshadow what the ultimate vision is and what, what this might look like in say five years' time?

Yeah, so, I mean, unfortunately we still have a legal infrastructure under which we collect data, which really hasn't changed from, dare I say it, when I started my career in 1984. Thank you. But my first job was collecting forms and entering data, and that involved going to the mail room, getting the envelopes, opening the envelope, pulling out the paper, translating the numbers that the banks had written on the paper onto … and the infrastructure we still have is built on this concept of a form even today and clearly, you know, that's not fit for purpose anymore.

So a large part of the investment that we're making in the new technology that we are trying to use now is to get away from that altogether to think truly about what is data, how do we extract it in a way that is much easier for those that have to give it to us, to deliver it to us? So understanding easier which information is required. Avoiding too much in the way of having to do elaborate manipulations and aggregations before it's given to us. Allowing a much smoother process by which it can be transferred to us. Automating a lot of the quality control and quality checks that currently is quite manual in many institutions. And then allowing us to share it with peers, including peers on this panel, so that you aren't providing information to APRA and then providing not quite the same, but very similar information to the RBA or ASIC. But rather we have a whole of system view about what data the public sector needs, we have a single collection point and then the public sector makes use of it if you like from APRA's database, rather than reaching out continually to collect disparate information from the industry.

So, as I said, the whole objective, if you like a single portal that people are able to put information in, it's much easier to submit. It's much clearer what's required, much easier to submit much more usefulness from the data and our ability to give it back to users. So I think it's just looking through that, the vision, if you like is to look through every step of that process and bring it into something that's actually modern, rather than this whole idea in which it's currently based on, of people submit forms.

Yeah. Okay. Strap yourselves in. Nicole, financial crime is a very serious topic and I feel like we've had this escalation of maybe it's only understanding, maybe it's always been so prevalent, but certainly in recent times everyone's becoming much more aware of it, which is probably somewhat due to your good work as well. But you talked a lot about education, what more needs to be done in terms of the fight against financial crime?

I'm really glad you said, Kristin, that you think that there's more of an awareness. I sometimes wonder about that. I have to say when I started in this role four and a half years ago and talked about money laundering, people would be like, ‘oh, that's really just a white-collar tax evasion type crime, isn't it?’ And it wasn't until, I think for a lot of people, the light bulb went on about what money laundering is, what it's caused by and what it's for, and that it has serious impacts on all of us. That I think is changing. It's certainly changing with professionals in this room get it. I have to say I've perhaps been a little bit naive thinking that the other 16,000 entities or all the sectors that we regulate, they would also have come on the journey. That's evidently not the case. There are still sectors that we regulate that think that they're, you know, they don't need to do what the banks have done, in that heavy lifting. So we'll continue with that education there.

Simple things about what we need to do, and it's not a surprise to anyone in this room, the technology. As we've talked about every time we race forward with technology, we really need to ensure that there aren't any unintended consequences and we're doing the right thing and we're investing in systems properly and not at speed, when we need to understand what the ramifications are. Boards and CEOs continually setting the standards from the top about culture and the importance of financial crime; that keeps coming back to us. And I think the outcomes of, you know, we try and share now with entities what they have participated in, particularly in our public private partnership, Fintel Alliance, when entities have provided information and worked with us to have an outcome, and there's an actual, tangible law enforcement outcome. We can go back to those members and say, it was because of you a child sex offender was arrested today. And that, that really focuses people on why it's important.

Yeah. That really brings it home, doesn't it. So on that note, we're actually going to go to the floor and I'm going to try from this seated position to see you all I'd ask if anyone has a question, can you please raise your hand and someone with a roving mic will come around to you and can you please just indicate who your question's for and where you're from. Thank you. It's hard to see. I think there's one over the back here. Sorry, just bear with us, while we get a mic to you.

Hi there, it's James Eyers, from The Fin Review. I'm just interested in the comments on cryptocurrency from Michele, given what we've seen this week. And I was just wondering whether or not Wayne or Cathie might like to add anything to that. Wayne, do you think sort of seeing this this stablecoin de-peg from the US dollar does that say anything to you about the need to regulate stablecoins more broadly, especially the ones that are linked with actual backing to fiat currency? And Cathie, anything that you've seen this week that changes your thinking about whether or not cryptocurrency is relevant for the retail market, given ASIC's currently looking at a couple of AFSL applications, as I understand it. And also one from a major bank, just to sort of push this into the retail sector.

Do you want to go first or me?

After you.

So I'll go first, James, thanks for the question. I'm going to start by noting, obviously, there's some proposals out there by the government to change regulation and we've commented on those today, but as we sit in a caretaker period, I'm going to be quite careful what I say about what should or shouldn't be government policy going forward. Clearly what we want to look at and what we are looking at, and we have been looking at in the Council of Financial Regulators, is how do you make sure you can balance the innovation the new technology brings with the need to avoid, sort of, undue consumer harm, particularly about where there are instances where the view or the balance is that it's very difficult for consumers to really understand the risks that they're running.

For a prudential regulator clearly, it's been understood for a long time. It's very hard for a consumer to understand the credit risk of the bank that they put their deposit in, or the ability of the insurer that they take a policy from to pay that claim, to have the financial resources to pay that claim. It's very hard for superannuation fund members to judge how well their money is being invested. So, hence there's a role for a prudential regulator there. It's not obvious to me that the role that might be needed when it comes to stablecoins is necessarily a role for the prudential regulator as such. But I think it's clear and certainly absolutely worthy of consideration that as these sorts of digital currencies move more and more to the mainstream, that there is going to be some form of regulatory set of requirements needed. Some of it will be protective. And some of it, as Michele said, will actually be helpful to facilitate an orderly market development.

And from my perspective in relation to retail access to whether it's stablecoins or crypto-assets the question we ask is, is this product within our regulatory remit? If it is, we look at it on its merits, like we look at anything else. I really would encourage people to engage with the current consultation that's in place, that the government is conducting. I think it is a really important time for us to think about what's our approach in Australia to these issues. And we know that in the US, President Biden issued an executive order to have the regulators there look at the issue. Europe has taken a particular approach with the MiCA legislation, and I think it's important for us to really engage with what's the right model for our country. And also, to think about this is a lot of the products, at least that we see being sold to Australian investors, often originate out of Australia. So this is an area where I think the international cooperation and learning from the experience of other organisations, other countries, is really going to be important. We want to avoid issues like market fragmentation, those sorts of things, which actually don't support innovation. So I think it's a really good time for us all to have these conversations and really encourage people to engage with that consultation process.

Another question. Oh, okay. I can see you up the back there. It's hard to see from here. Sorry.

Hello, Robert King from RegulationCity.com. Question primarily for APRA. APRA have turned the blow torch on the smaller superannuation funds – I think you said ‘good enough is not good enough’, I think was your expression. Do you see a near future where you'll be turning that attention to the smaller ADIs?

No, it's different. So we've got different obligations to those sectors and it's a bit simple to describe it as a focus purely on small super funds, because more correctly, it is a focus particularly on the underperforming super funds. In super, there is a scale benefit that comes from size. And so probably there are more challenged super funds at the smaller end of the scale than otherwise. But it's the recent performance tests, the heat maps that we produce, show that it's not purely a size issue. We shouldn't pretend that every medium or large fund is doing absolutely wonderfully. But the nature of the promise that's being made by the trustees of a Superfund is very different to the nature of a promise that's being made to a depositor of a small bank or ADI.

The mutual ADI sector, it has consolidated over recent years but it's actually overall, a reasonably healthy well capitalised sector. Super funds are promising performance, if you like, we're generating good retirement incomes. In the banking sector, we're just promising you that you will get your deposit back when you want it. And there's no suggestion that smaller institutions can't do that as well as the larger ones, so that's the long-winded answer. The shorter answer to your question would've just been to say no, but I tried to put some context around it.

Probably got time for one or two more questions, okay, now they're starting to come. There's one here.

Hi. I'm Rhonda from the Australian Banking Association, and this maybe a question for the panel, potentially more for Wayne and Nicole. So Michele, in her opening remark talked about the payment system becoming a more complex payments ecosystem and I think that's what we are seeing in other spheres of life and in other parts of the financial services industry, where yes, you have the critical infrastructure, but you also have the ecosystem with new participants and new roles being assumed. So in this environment should that, and how does that maybe challenge the way the industry and regulators think about issues such as cyber resilience and maybe financial crime as well?

All right. Well, I'll have another go. So it's a really good question and it's caused us to think hard about how we go about regulation and particularly, I think it was Cathie, maybe it was Michele, I can't remember, someone mentioned our cybersecurity strategy and how we think about cybersecurity in the financial system. Because again, a bit like my comment before about the legal framework for collecting data is still based on this idea of forms. We still have the Banking Act 1959, which is still built, I think, on this concept of a bank that is a big stone building and it has a safe at the back and maybe more modern times, it has a computer in the basement. It doesn't work that way anymore. Clearly, we're seeing more and more services outsourced to third parties.

And if you look at many of the vulnerabilities that have emerged, and not just the vulnerabilities but where cyber incidents have occurred in recent times, increasingly it has not been the bank itself making a mistake or having the vulnerability. It's been a problem that has existed in a third party supplier, probably in a fourth party supplier to the third party supplier, that's sort of transmitted itself to the bank.

So we have to think not just about what is the legal entity that has the banking licence or the insurance licence or whatever it might be these days, but much more about how do you have visibility and oversight of all of those key, particularly the material and the systemically-important third party and fourth party suppliers. And there's a lot of work happening not just here, but recognising it as a global issue. And many of the key suppliers to the banking industry that are systemically important are actually global firms, not Australian firms. In thinking about how we all get greater assurance that the standards and expectations that we would have for a bank or a locally regulated entity, we can get those same assurances from unregulated, but very important suppliers. So I don't have the answer; there isn't a crisp answer to that one, but very much it's on the radar screen of the work that's going on at present.

Nicole, any comment from you?

What I'd add to that is maybe an example of some of the issues we have exactly in that space, and de-banking, dare I say it, is one of those and we're all working very closely on the issue. But it's a good example of entities trying to de-risk on whether it's AML or correspondent banking or a range of other reasons. And AML is put up there at the top that can look in a short-term solution to be a great way to de-risk your individual business, but from a financial crimes point of view, that's the last thing we want to do because we lose visibility then of those people in the system. And they quite often now go underground because there are more anonymous ways to bank in our system than there ever were before. So it's a really good question and I can't add to what Wayne says, because it is exactly those sorts of things that as technology changes and as risk appetites change, we can quite often be at odds with each other. And there are unintended consequences that we need to work on together and that's one we're still chewing over.

Yeah. So I did say that we were going to have a hard stop at 2:15, and I think we're there. I'd like to thank all of you for your insights and your commentary, I think it's been a really valuable discussion today. It does cause me to stop and reflect on the times that we live in. I do take comfort from the fact that our system is well run and pretty secure, but we have to stay very vigilant as we've heard here today. And I think I'll reflect over the weekend on some of the things that I've heard here today. Thank you all.